From 7ef9e1b9392bae7c88bf7fb7c1f65c8036470eec Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Fri, 17 Apr 2026 15:19:40 +0200 Subject: [PATCH 01/22] C#: Rename SsaImpl input. --- .../ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll index b3a95977be99..274c495cf564 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll @@ -9,7 +9,7 @@ private import semmle.code.csharp.controlflow.Guards as Guards private import semmle.code.csharp.dataflow.internal.BaseSSA private import semmle.code.csharp.internal.Location -private module SsaInput implements SsaImplCommon::InputSig { +private module SsaImplInput implements SsaImplCommon::InputSig { class SourceVariable = Ssa::SourceVariable; /** @@ -41,7 +41,7 @@ private module SsaInput implements SsaImplCommon::InputSig } } -import SsaImplCommon::Make as Impl +import SsaImplCommon::Make as Impl class Definition = Impl::Definition; @@ -815,7 +815,7 @@ private module Cached { predicate variableWriteQualifier( BasicBlock bb, int i, QualifiedFieldOrPropSourceVariable v, boolean certain ) { - SsaInput::variableWrite(bb, i, v.getQualifier(), certain) and + SsaImplInput::variableWrite(bb, i, v.getQualifier(), certain) and // Eliminate corner case where a call definition can overlap with a // qualifier definition: if method `M` updates field `F`, then a call // to `M` is both an update of `x.M` and `x.M.M`, so the former call From 72d21a9a56c885f054cd2b4bcd0614f6e0586639 Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Fri, 17 Apr 2026 15:25:22 +0200 Subject: [PATCH 02/22] C#: Instantiate shared SSA wrappers. --- .../lib/semmle/code/csharp/dataflow/SSA.qll | 4 ++- .../code/csharp/dataflow/internal/BaseSSA.qll | 25 ++++++++------ .../code/csharp/dataflow/internal/SsaImpl.qll | 33 +++++++++++++++++++ 3 files changed, 51 insertions(+), 11 deletions(-) diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll index 8f5b04c6708a..7670774da980 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll @@ -3,12 +3,14 @@ */ import csharp +private import internal.SsaImpl as SsaImpl +import SsaImpl::Ssa_ /** * Provides classes for working with static single assignment (SSA) form. */ module Ssa { - private import internal.SsaImpl as SsaImpl + import SsaImpl::Ssa_ pragma[nomagic] private predicate assignableDefinitionLocalScopeVariable( diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/BaseSSA.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/BaseSSA.qll index 63a9e782250f..0e879ac94123 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/BaseSSA.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/BaseSSA.qll @@ -1,9 +1,20 @@ -import csharp +private import csharp as CS /** * Provides a simple SSA implementation for local scope variables. */ module BaseSsa { + private import BaseSsaImpl + + class SimpleLocalScopeVariable = BaseSsaImpl::SimpleLocalScopeVariable; + + module Ssa = SsaImpl::MakeSsa; + + import Ssa +} + +private module BaseSsaImpl { + private import CS private import AssignableDefinitions private import codeql.ssa.Ssa as SsaImplCommon @@ -13,7 +24,7 @@ module BaseSsa { predicate ref() { any() } cached - predicate backref() { (exists(any(SsaDefinition def).getARead()) implies any()) } + predicate backref() { (exists(any(BaseSsa::SsaDefinition def).getARead()) implies any()) } } /** @@ -112,11 +123,9 @@ module BaseSsa { } } - private module SsaImpl = SsaImplCommon::Make; - - private module SsaInput implements SsaImpl::SsaInputSig { - private import csharp as CS + module SsaImpl = SsaImplCommon::Make; + module SsaInput implements SsaImpl::SsaInputSig { class Expr = CS::Expr; class Parameter = CS::Parameter; @@ -139,8 +148,4 @@ module BaseSsa { w.isParameterInit(v) } } - - module Ssa = SsaImpl::MakeSsa; - - import Ssa } diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll index 274c495cf564..0c2ecf96b8f2 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll @@ -43,6 +43,39 @@ private module SsaImplInput implements SsaImplCommon::InputSig as Impl +private module SsaInput implements Impl::SsaInputSig { + private import csharp as CS + + class Expr = CS::Expr; + + class Parameter = CS::Parameter; + + class VariableWrite extends AssignableDefinition { + Expr asExpr() { result = this.getExpr() } + + Expr getValue() { result = this.getSource() } + + predicate isParameterInit(Parameter p) { this.(ImplicitParameterDefinition).getParameter() = p } + } + + predicate explicitWrite(VariableWrite w, BasicBlock bb, int i, SsaImplInput::SourceVariable v) { + exists(AssignableDefinition ad | variableDefinition(bb, i, v, ad) | + w = ad or + w = getASameOutRefDefAfter(v, ad) + ) + or + exists(Parameter p | + implicitEntryDefinition(bb, v) and + i = -1 and + p = v.getAssignable() and + pragma[only_bind_out](p.getCallable()) = pragma[only_bind_out](v.getEnclosingCallable()) and + w.isParameterInit(p) + ) + } +} + +module Ssa_ = Impl::MakeSsa; + class Definition = Impl::Definition; class WriteDefinition = Impl::WriteDefinition; From e5d219a039342f15d64d3a49ece1e1c5fbf3aa79 Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Thu, 23 Apr 2026 13:38:28 +0200 Subject: [PATCH 03/22] C#: Simplify library instantiations. --- .../controlflow/ControlFlowReachability.qll | 12 +----------- .../semmle/code/csharp/controlflow/Guards.qll | 18 +----------------- .../semmle/code/csharp/dataflow/Nullness.qll | 4 ++-- 3 files changed, 4 insertions(+), 30 deletions(-) diff --git a/csharp/ql/lib/semmle/code/csharp/controlflow/ControlFlowReachability.qll b/csharp/ql/lib/semmle/code/csharp/controlflow/ControlFlowReachability.qll index 33d96a61fc7e..4ec4dad9e1be 100644 --- a/csharp/ql/lib/semmle/code/csharp/controlflow/ControlFlowReachability.qll +++ b/csharp/ql/lib/semmle/code/csharp/controlflow/ControlFlowReachability.qll @@ -26,17 +26,7 @@ private module ControlFlowInput implements InputSig; class GuardValue = GuardsImpl::GuardValue; private module LogicInput implements GuardsImpl::LogicInputSig { - class SsaDefinition extends Ssa::Definition { - Expr getARead() { super.getARead() = result } - } - - class SsaExplicitWrite extends SsaDefinition instanceof Ssa::ExplicitDefinition { - Expr getValue() { result = super.getADefinition().getSource() } - } - - class SsaPhiDefinition extends SsaDefinition instanceof Ssa::PhiNode { - predicate hasInputFromBlock(SsaDefinition inp, BasicBlock bb) { - super.hasInputFromBlock(inp, bb) - } - } - - class SsaParameterInit extends SsaDefinition instanceof Ssa::ParameterDefinition { - Parameter getParameter() { result = super.getParameter() } - } + import Ssa predicate additionalNullCheck(GuardsImpl::PreGuard guard, GuardValue val, Expr e, boolean isNull) { // Comparison with a non-`null` value, for example `x?.Length > 0` diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/Nullness.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/Nullness.qll index 63205e52ae5e..6cd4fe311137 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/Nullness.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/Nullness.qll @@ -250,9 +250,9 @@ private predicate defReaches(Ssa::Definition def, ControlFlowNode cfn) { } private module NullnessConfig implements ControlFlowReachability::ConfigSig { - predicate source(ControlFlowNode node, Ssa::Definition def) { defMaybeNull(def, node, _, _) } + predicate source(ControlFlowNode node, SsaDefinition def) { defMaybeNull(def, node, _, _) } - predicate sink(ControlFlowNode node, Ssa::Definition def) { + predicate sink(ControlFlowNode node, SsaDefinition def) { exists(Dereference d | dereferenceAt(node, def, d) and not d instanceof NonNullExpr From fb438bf5127bd058de75f35e8d31897c84c5a08c Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Thu, 23 Apr 2026 14:25:43 +0200 Subject: [PATCH 04/22] C#: Remove references to getAFirstReadAtNode. --- csharp/ql/lib/semmle/code/csharp/Assignable.qll | 6 +----- csharp/ql/lib/semmle/code/csharp/dataflow/Nullness.qll | 2 +- 2 files changed, 2 insertions(+), 6 deletions(-) diff --git a/csharp/ql/lib/semmle/code/csharp/Assignable.qll b/csharp/ql/lib/semmle/code/csharp/Assignable.qll index d2df0a5a05e0..a86e9d6de5cf 100644 --- a/csharp/ql/lib/semmle/code/csharp/Assignable.qll +++ b/csharp/ql/lib/semmle/code/csharp/Assignable.qll @@ -500,11 +500,7 @@ class AssignableDefinition extends TAssignableDefinition { */ pragma[nomagic] AssignableRead getAFirstRead() { - exists(ControlFlowNode cfn | cfn = result.getControlFlowNode() | - exists(Ssa::ExplicitDefinition def | result = def.getAFirstReadAtNode(cfn) | - this = def.getADefinition() - ) - ) + exists(Ssa::ExplicitDefinition def | result = def.getAFirstRead() | this = def.getADefinition()) } /** Gets a textual representation of this assignable definition. */ diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/Nullness.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/Nullness.qll index 6cd4fe311137..693a91a3ce54 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/Nullness.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/Nullness.qll @@ -241,7 +241,7 @@ private Ssa::Definition getAnUltimateDefinition(Ssa::Definition def) { * exception. */ private predicate defReaches(Ssa::Definition def, ControlFlowNode cfn) { - exists(def.getAFirstReadAtNode(cfn)) + def.getAFirstRead().getControlFlowNode() = cfn or exists(ControlFlowNode mid | defReaches(def, mid) | SsaImpl::adjacentReadPairSameVar(_, mid, cfn) and From 83c7a33e53c2d300820c3afaefad0d384c1ff696 Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Thu, 23 Apr 2026 14:45:46 +0200 Subject: [PATCH 05/22] C#: Deprecate member predicates Definition.getAFirstRead and getAFirstReadAtNode. --- .../ql/lib/semmle/code/csharp/Assignable.qll | 4 +- .../semmle/code/csharp/dataflow/Nullness.qll | 2 +- .../lib/semmle/code/csharp/dataflow/SSA.qll | 49 ++++++++++++++++++- .../dataflow/defuse/useUseEquivalence.ql | 4 +- 4 files changed, 53 insertions(+), 6 deletions(-) diff --git a/csharp/ql/lib/semmle/code/csharp/Assignable.qll b/csharp/ql/lib/semmle/code/csharp/Assignable.qll index a86e9d6de5cf..066cdeaed15a 100644 --- a/csharp/ql/lib/semmle/code/csharp/Assignable.qll +++ b/csharp/ql/lib/semmle/code/csharp/Assignable.qll @@ -500,7 +500,9 @@ class AssignableDefinition extends TAssignableDefinition { */ pragma[nomagic] AssignableRead getAFirstRead() { - exists(Ssa::ExplicitDefinition def | result = def.getAFirstRead() | this = def.getADefinition()) + exists(Ssa::ExplicitDefinition def | result = Ssa::ssaGetAFirstUse(def) | + this = def.getADefinition() + ) } /** Gets a textual representation of this assignable definition. */ diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/Nullness.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/Nullness.qll index 693a91a3ce54..726f695e9b73 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/Nullness.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/Nullness.qll @@ -241,7 +241,7 @@ private Ssa::Definition getAnUltimateDefinition(Ssa::Definition def) { * exception. */ private predicate defReaches(Ssa::Definition def, ControlFlowNode cfn) { - def.getAFirstRead().getControlFlowNode() = cfn + Ssa::ssaGetAFirstUse(def).getControlFlowNode() = cfn or exists(ControlFlowNode mid | defReaches(def, mid) | SsaImpl::adjacentReadPairSameVar(_, mid, cfn) and diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll index 7670774da980..9568adf6c274 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll @@ -149,6 +149,47 @@ module Ssa { } } + /** + * Gets a read of the source variable underlying the SSA definition `def` + * that can be reached from `def` without passing through any + * other SSA definition or read. Example: + * + * ```csharp + * int Field; + * + * void SetField(int i) { + * this.Field = i; + * Use(this.Field); + * if (i > 0) + * this.Field = i - 1; + * else if (i < 0) + * SetField(1); + * Use(this.Field); + * Use(this.Field); + * } + * ``` + * + * - The read of `i` on line 4 can be reached from the explicit SSA + * definition (wrapping an implicit entry definition) on line 3. + * - The reads of `i` on lines 6 and 7 are not the first reads of any SSA + * definition. + * - The read of `this.Field` on line 5 can be reached from the explicit SSA + * definition on line 4. + * - The read of `this.Field` on line 10 can be reached from the phi node + * between lines 9 and 10. + * - The read of `this.Field` on line 11 is not the first read of any SSA + * definition. + * + * Subsequent reads can be found by following the steps defined by + * `AssignableRead.getANextRead()`. + */ + AssignableRead ssaGetAFirstUse(SsaDefinition def) { + exists(ControlFlowNode cfn | + SsaImpl::firstReadSameVar(def, cfn) and + result.getControlFlowNode() = cfn + ) + } + /** * A static single assignment (SSA) definition. Either an explicit variable * definition (`ExplicitDefinition`), an implicit variable definition @@ -229,6 +270,8 @@ module Ssa { } /** + * DEPRECATED: Use `ssaGetAFirstUse` instead. + * * Gets a read of the source variable underlying this SSA definition that * can be reached from this SSA definition without passing through any * other SSA definition or read. Example: @@ -262,9 +305,11 @@ module Ssa { * Subsequent reads can be found by following the steps defined by * `AssignableRead.getANextRead()`. */ - final AssignableRead getAFirstRead() { result = this.getAFirstReadAtNode(_) } + deprecated final AssignableRead getAFirstRead() { result = this.getAFirstReadAtNode(_) } /** + * DEPRECATED: Use `ssaGetAFirstUse` instead. + * * Gets a read of the source variable underlying this SSA definition at * control flow node `cfn` that can be reached from this SSA definition * without passing through any other SSA definition or read. Example: @@ -298,7 +343,7 @@ module Ssa { * Subsequent reads can be found by following the steps defined by * `AssignableRead.getANextRead()`. */ - final AssignableRead getAFirstReadAtNode(ControlFlowNode cfn) { + deprecated final AssignableRead getAFirstReadAtNode(ControlFlowNode cfn) { SsaImpl::firstReadSameVar(this, cfn) and result.getControlFlowNode() = cfn } diff --git a/csharp/ql/test/library-tests/dataflow/defuse/useUseEquivalence.ql b/csharp/ql/test/library-tests/dataflow/defuse/useUseEquivalence.ql index bc3d6d422a6c..b6610aa25542 100644 --- a/csharp/ql/test/library-tests/dataflow/defuse/useUseEquivalence.ql +++ b/csharp/ql/test/library-tests/dataflow/defuse/useUseEquivalence.ql @@ -42,9 +42,9 @@ private TLocalScopeVariableReadOrSsaDef getANextReadOrDef(TLocalScopeVariableRea ) or exists(Ssa::Definition ssaDef | prev = TSsaDefinition(ssaDef) | - result = TLocalScopeVariableRead(ssaDef.getAFirstRead()) + result = TLocalScopeVariableRead(Ssa::ssaGetAFirstUse(ssaDef)) or - not exists(ssaDef.getAFirstRead()) and + not exists(Ssa::ssaGetAFirstUse(ssaDef)) and exists(Ssa::PhiNode phi | phi.getAnInput() = ssaDef and result = TSsaDefinition(phi) From 2545f06b525a076d897789d3fbc420f83a671a98 Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Thu, 23 Apr 2026 14:59:01 +0200 Subject: [PATCH 06/22] C#: Deprecate member predicate Definition.getAReadAtNode. --- .../lib/semmle/code/csharp/controlflow/Guards.qll | 2 +- .../lib/semmle/code/csharp/dataflow/Nullness.qll | 14 +++++++------- csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll | 6 ++++-- .../csharp/dataflow/internal/DataFlowPrivate.qll | 2 +- .../rangeanalysis/SignAnalysisSpecific.qll | 2 +- .../dataflow/internal/rangeanalysis/SsaUtils.qll | 6 +++--- 6 files changed, 17 insertions(+), 15 deletions(-) diff --git a/csharp/ql/lib/semmle/code/csharp/controlflow/Guards.qll b/csharp/ql/lib/semmle/code/csharp/controlflow/Guards.qll index 296df458ff2c..45a73f008ddf 100644 --- a/csharp/ql/lib/semmle/code/csharp/controlflow/Guards.qll +++ b/csharp/ql/lib/semmle/code/csharp/controlflow/Guards.qll @@ -586,7 +586,7 @@ private Ssa::Definition getAnSsaQualifier(Expr e, ControlFlowNode cfn) { } private AssignableAccess getATrackedAccess(Ssa::Definition def, ControlFlowNode cfn) { - result = def.getAReadAtNode(cfn) + result = def.getARead() and cfn = result.getControlFlowNode() or result = def.(Ssa::ExplicitDefinition).getADefinition().getTargetAccess() and cfn = def.getControlFlowNode() diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/Nullness.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/Nullness.qll index 726f695e9b73..9af83aa767ac 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/Nullness.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/Nullness.qll @@ -124,11 +124,9 @@ private predicate nonNullDef(Ssa::ExplicitDefinition def) { } /** - * Holds if `node` is a dereference `d` of SSA definition `def`. + * Holds if `d` is a dereference of SSA definition `def`. */ -private predicate dereferenceAt(ControlFlowNode node, Ssa::Definition def, Dereference d) { - d = def.getAReadAtNode(node) -} +private predicate dereferenceAt(Ssa::Definition def, Dereference d) { d = def.getARead() } private predicate isMaybeNullArgument(Ssa::ParameterDefinition def, MaybeNullExpr arg) { exists(AssignableDefinitions::ImplicitParameterDefinition pdef, Parameter p | @@ -214,7 +212,7 @@ private predicate defMaybeNull(Ssa::Definition def, ControlFlowNode node, string ) or // A variable of nullable type may be null - exists(Dereference d | dereferenceAt(_, def, d) | + exists(Dereference d | dereferenceAt(def, d) | node = def.getControlFlowNode() and d.hasNullableType() and not def instanceof Ssa::PhiNode and @@ -254,7 +252,8 @@ private module NullnessConfig implements ControlFlowReachability::ConfigSig { predicate sink(ControlFlowNode node, SsaDefinition def) { exists(Dereference d | - dereferenceAt(node, def, d) and + dereferenceAt(def, d) and + node = d.getControlFlowNode() and not d instanceof NonNullExpr ) } @@ -271,7 +270,8 @@ predicate maybeNullDeref(Dereference d, Ssa::SourceVariable v, string msg, Eleme defMaybeNull(origin, src, msg, reason) and NullnessFlow::flow(src, origin, sink, ssa) and ssa.getSourceVariable() = v and - dereferenceAt(sink, ssa, d) and + dereferenceAt(ssa, d) and + sink = d.getControlFlowNode() and not d.isAlwaysNull(v) ) } diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll index 9568adf6c274..7d8809a700cf 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll @@ -236,9 +236,11 @@ module Ssa { * - The reads of `this.Field` on lines 10 and 11 can be reached from the phi * node between lines 9 and 10. */ - final AssignableRead getARead() { result = this.getAReadAtNode(_) } + final AssignableRead getARead() { result = SsaImpl::getAReadAtNode(this, _) } /** + * DEPRECATED: Use `getARead()` instead. + * * Gets a read of the source variable underlying this SSA definition at * control flow node `cfn` that can be reached from this SSA definition * without passing through any other SSA definitions. Example: @@ -265,7 +267,7 @@ module Ssa { * - The reads of `this.Field` on lines 10 and 11 can be reached from the phi * node between lines 9 and 10. */ - final AssignableRead getAReadAtNode(ControlFlowNode cfn) { + deprecated final AssignableRead getAReadAtNode(ControlFlowNode cfn) { result = SsaImpl::getAReadAtNode(this, cfn) } diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll index c4d2a8441033..c498d4aa3a97 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll @@ -273,7 +273,7 @@ module VariableCapture { exists(Ssa::Definition def, AssignableDefinition adef | LocalFlow::defAssigns(adef, _, _, e1) and def.getAnUltimateDefinition().(Ssa::ExplicitDefinition).getADefinition() = adef and - exists(def.getAReadAtNode(e2)) + def.getARead().getControlFlowNode() = e2 ) } diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SignAnalysisSpecific.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SignAnalysisSpecific.qll index f6dd4911256c..96245e460c71 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SignAnalysisSpecific.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SignAnalysisSpecific.qll @@ -245,7 +245,7 @@ private module Impl { ) } - ExprNode getARead(Ssa::Definition v) { exists(v.getAReadAtNode(result)) } + ExprNode getARead(Ssa::Definition v) { v.getARead().getControlFlowNode() = result } Field getField(ExprNode fa) { result = fa.getExpr().(FieldAccess).getTarget() } diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaUtils.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaUtils.qll index 55267fad17cf..9ff12625a060 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaUtils.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaUtils.qll @@ -12,13 +12,13 @@ private class ExprNode = ControlFlowNodes::ExprNode; /** An SSA variable. */ class SsaVariable extends Definition { /** Gets a read of this SSA variable. */ - ExprNode getAUse() { exists(this.getAReadAtNode(result)) } + ExprNode getAUse() { this.getARead().getControlFlowNode() = result } } /** Gets a node that reads `src` via an SSA explicit definition. */ ExprNode getAnExplicitDefinitionRead(ExprNode src) { exists(ExplicitDefinition def | - exists(def.getAReadAtNode(result)) and + def.getARead().getControlFlowNode() = result and hasChild(def.getElement(), def.getADefinition().getSource(), def.getControlFlowNode(), src) ) } @@ -27,7 +27,7 @@ ExprNode getAnExplicitDefinitionRead(ExprNode src) { * Gets an expression that equals `v - delta`. */ ExprNode ssaRead(Definition v, int delta) { - exists(v.getAReadAtNode(result)) and delta = 0 + v.getARead().getControlFlowNode() = result and delta = 0 or exists(ExprNode::AddOperation add, int d1, ConstantIntegerExpr c | result = add and From c88a22ccf8e40cb80a94a278736229900bb8a9fd Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Thu, 23 Apr 2026 16:21:29 +0200 Subject: [PATCH 07/22] C#: Replace most uses of Ssa::Definition with SsaDefinition. --- .../semmle/code/csharp/controlflow/Guards.qll | 24 ++++++++--------- .../semmle/code/csharp/dataflow/Nullness.qll | 26 +++++++++---------- .../dataflow/internal/DataFlowPrivate.qll | 4 +-- .../code/csharp/dataflow/internal/SsaImpl.qll | 4 +-- .../internal/rangeanalysis/RangeUtils.qll | 2 +- .../rangeanalysis/SignAnalysisSpecific.qll | 4 +-- .../rangeanalysis/SsaReadPositionSpecific.qll | 2 +- .../internal/rangeanalysis/SsaUtils.qll | 4 +-- .../Control-Flow/ConstantCondition.ql | 2 +- .../src/Likely Bugs/Dynamic/BadDynamicCall.ql | 2 +- .../ql/test/library-tests/csharp7/DefUse.ql | 2 +- .../dataflow/defuse/defUseEquivalence.ql | 2 +- .../defuse/parameterUseEquivalence.ql | 2 +- .../dataflow/defuse/useUseEquivalence.ql | 6 ++--- .../test/library-tests/dataflow/ssa/SSAPhi.ql | 2 +- .../test/library-tests/dataflow/ssa/SsaDef.ql | 2 +- .../library-tests/dataflow/ssa/SsaRead.ql | 2 +- .../dataflow/ssa/SsaUltimateDef.ql | 2 +- 18 files changed, 47 insertions(+), 47 deletions(-) diff --git a/csharp/ql/lib/semmle/code/csharp/controlflow/Guards.qll b/csharp/ql/lib/semmle/code/csharp/controlflow/Guards.qll index 45a73f008ddf..48adada60d85 100644 --- a/csharp/ql/lib/semmle/code/csharp/controlflow/Guards.qll +++ b/csharp/ql/lib/semmle/code/csharp/controlflow/Guards.qll @@ -570,7 +570,7 @@ class AccessOrCallExpr extends Expr { * An expression can have more than one SSA qualifier in the presence * of control flow splitting. */ - Ssa::Definition getAnSsaQualifier(ControlFlowNode cfn) { result = getAnSsaQualifier(this, cfn) } + SsaDefinition getAnSsaQualifier(ControlFlowNode cfn) { result = getAnSsaQualifier(this, cfn) } } private Declaration getDeclarationTarget(Expr e) { @@ -578,14 +578,14 @@ private Declaration getDeclarationTarget(Expr e) { result = e.(Call).getTarget() } -private Ssa::Definition getAnSsaQualifier(Expr e, ControlFlowNode cfn) { +private SsaDefinition getAnSsaQualifier(Expr e, ControlFlowNode cfn) { e = getATrackedAccess(result, cfn) or not e = getATrackedAccess(_, _) and result = getAnSsaQualifier(e.(QualifiableExpr).getQualifier(), cfn) } -private AssignableAccess getATrackedAccess(Ssa::Definition def, ControlFlowNode cfn) { +private AssignableAccess getATrackedAccess(SsaDefinition def, ControlFlowNode cfn) { result = def.getARead() and cfn = result.getControlFlowNode() or result = def.(Ssa::ExplicitDefinition).getADefinition().getTargetAccess() and @@ -593,7 +593,7 @@ private AssignableAccess getATrackedAccess(Ssa::Definition def, ControlFlowNode } private predicate ssaMustHaveValue(Expr e, GuardValue v) { - exists(Ssa::Definition def, BasicBlock bb | + exists(SsaDefinition def, BasicBlock bb | e = def.getARead() and e.getBasicBlock() = bb and Guards::ssaControls(def, bb, v) @@ -825,8 +825,8 @@ module Internal { ) or e = - any(Ssa::Definition def | - forex(Ssa::Definition u | u = def.getAnUltimateDefinition() | nullDef(u)) + any(SsaDefinition def | + forex(SsaDefinition u | u = def.getAnUltimateDefinition() | nullDef(u)) ).getARead() } @@ -840,8 +840,8 @@ module Internal { exists(Expr e1 | nonNullValueImplied(e1) and nonNullValueImpliedUnary(e1, e)) or e = - any(Ssa::Definition def | - forex(Ssa::Definition u | u = def.getAnUltimateDefinition() | nonNullDef(u)) + any(SsaDefinition def | + forex(SsaDefinition u | u = def.getAnUltimateDefinition() | nonNullDef(u)) ).getARead() } @@ -1104,7 +1104,7 @@ module Internal { private predicate nodeIsGuardedBySameSubExprSsaDef0( ControlFlowNode cfn, BasicBlock guardedBB, AccessOrCallExpr guarded, Guard g, ControlFlowNode subCfn, BasicBlock subCfnBB, AccessOrCallExpr sub, GuardValue v, - Ssa::Definition def + SsaDefinition def ) { nodeIsGuardedBySameSubExpr(cfn, guardedBB, guarded, g, sub, v) and def = sub.getAnSsaQualifier(subCfn) and @@ -1114,7 +1114,7 @@ module Internal { pragma[nomagic] private predicate nodeIsGuardedBySameSubExprSsaDef( ControlFlowNode guardedCfn, AccessOrCallExpr guarded, Guard g, ControlFlowNode subCfn, - AccessOrCallExpr sub, GuardValue v, Ssa::Definition def + AccessOrCallExpr sub, GuardValue v, SsaDefinition def ) { exists(BasicBlock guardedBB, BasicBlock subCfnBB | nodeIsGuardedBySameSubExprSsaDef0(guardedCfn, guardedBB, guarded, g, subCfn, subCfnBB, sub, @@ -1133,7 +1133,7 @@ module Internal { cached predicate isGuardedByExpr(AccessOrCallExpr guarded, Guard g, AccessOrCallExpr sub, GuardValue v) { isGuardedByExpr0(guarded, g, sub, v) and - forall(ControlFlowNode subCfn, Ssa::Definition def | + forall(ControlFlowNode subCfn, SsaDefinition def | nodeIsGuardedBySameSubExprSsaDef(_, guarded, g, subCfn, sub, v, def) | def = guarded.getAnSsaQualifier(_) @@ -1145,7 +1145,7 @@ module Internal { ControlFlowNodes::ElementNode guarded, Guard g, AccessOrCallExpr sub, GuardValue v ) { nodeIsGuardedBySameSubExpr(guarded, _, _, g, sub, v) and - forall(ControlFlowNode subCfn, Ssa::Definition def | + forall(ControlFlowNode subCfn, SsaDefinition def | nodeIsGuardedBySameSubExprSsaDef(guarded, _, g, subCfn, sub, v, def) | def = diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/Nullness.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/Nullness.qll index 9af83aa767ac..95dfcf3f0ec3 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/Nullness.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/Nullness.qll @@ -67,8 +67,8 @@ class AlwaysNullExpr extends Expr { exists(AlwaysNullExpr e1, AlwaysNullExpr e2 | G::Internal::nullValueImpliedBinary(e1, e2, this)) or this = - any(Ssa::Definition def | - forex(Ssa::Definition u | u = def.getAnUltimateDefinition() | nullDef(u)) + any(SsaDefinition def | + forex(SsaDefinition u | u = def.getAnUltimateDefinition() | nullDef(u)) ).getARead() or exists(Callable target | @@ -94,8 +94,8 @@ class NonNullExpr extends Expr { this instanceof G::NullGuardedExpr or this = - any(Ssa::Definition def | - forex(Ssa::Definition u | u = def.getAnUltimateDefinition() | nonNullDef(u)) + any(SsaDefinition def | + forex(SsaDefinition u | u = def.getAnUltimateDefinition() | nonNullDef(u)) ).getARead() or exists(Callable target | @@ -126,7 +126,7 @@ private predicate nonNullDef(Ssa::ExplicitDefinition def) { /** * Holds if `d` is a dereference of SSA definition `def`. */ -private predicate dereferenceAt(Ssa::Definition def, Dereference d) { d = def.getARead() } +private predicate dereferenceAt(SsaDefinition def, Dereference d) { d = def.getARead() } private predicate isMaybeNullArgument(Ssa::ParameterDefinition def, MaybeNullExpr arg) { exists(AssignableDefinitions::ImplicitParameterDefinition pdef, Parameter p | @@ -180,7 +180,7 @@ private predicate hasMultipleParamsArguments(Call c) { } /** Holds if `def` is an SSA definition that may be `null`. */ -private predicate defMaybeNull(Ssa::Definition def, ControlFlowNode node, string msg, Element reason) { +private predicate defMaybeNull(SsaDefinition def, ControlFlowNode node, string msg, Element reason) { not nonNullDef(def) and ( // A variable compared to `null` might be `null` @@ -222,13 +222,13 @@ private predicate defMaybeNull(Ssa::Definition def, ControlFlowNode node, string ) } -private Ssa::Definition getAPseudoInput(Ssa::Definition def) { +private SsaDefinition getAPseudoInput(SsaDefinition def) { result = def.(Ssa::PhiNode).getAnInput() } // `def.getAnUltimateDefinition()` includes inputs into uncertain // definitions, but we only want inputs into pseudo nodes -private Ssa::Definition getAnUltimateDefinition(Ssa::Definition def) { +private SsaDefinition getAnUltimateDefinition(SsaDefinition def) { result = getAPseudoInput*(def) and not result instanceof Ssa::PhiNode } @@ -238,7 +238,7 @@ private Ssa::Definition getAnUltimateDefinition(Ssa::Definition def) { * through an intermediate dereference that always throws a null reference * exception. */ -private predicate defReaches(Ssa::Definition def, ControlFlowNode cfn) { +private predicate defReaches(SsaDefinition def, ControlFlowNode cfn) { Ssa::ssaGetAFirstUse(def).getControlFlowNode() = cfn or exists(ControlFlowNode mid | defReaches(def, mid) | @@ -266,7 +266,7 @@ private module NullnessConfig implements ControlFlowReachability::ConfigSig { private module NullnessFlow = ControlFlowReachability::Flow; predicate maybeNullDeref(Dereference d, Ssa::SourceVariable v, string msg, Element reason) { - exists(Ssa::Definition origin, Ssa::Definition ssa, ControlFlowNode src, ControlFlowNode sink | + exists(SsaDefinition origin, SsaDefinition ssa, ControlFlowNode src, ControlFlowNode sink | defMaybeNull(origin, src, msg, reason) and NullnessFlow::flow(src, origin, sink, ssa) and ssa.getSourceVariable() = v and @@ -334,8 +334,8 @@ class Dereference extends G::DereferenceableExpr { ) } - private predicate isAlwaysNull0(Ssa::Definition def) { - forall(Ssa::Definition input | input = getAnUltimateDefinition(def) | + private predicate isAlwaysNull0(SsaDefinition def) { + forall(SsaDefinition input | input = getAnUltimateDefinition(def) | input.(Ssa::ExplicitDefinition).getADefinition().getSource() instanceof AlwaysNullExpr ) and not nonNullDef(def) and @@ -352,7 +352,7 @@ class Dereference extends G::DereferenceableExpr { // Exclude fields and properties, as they may not have an accurate SSA representation v.getAssignable() instanceof LocalScopeVariable and ( - forex(Ssa::Definition def0 | this = def0.getARead() | this.isAlwaysNull0(def0)) + forex(SsaDefinition def0 | this = def0.getARead() | this.isAlwaysNull0(def0)) or exists(G::GuardValue nv | this.(G::GuardedExpr).mustHaveValue(nv) and diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll index c498d4aa3a97..b6a6d3988740 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll @@ -270,7 +270,7 @@ module VariableCapture { private predicate closureFlowStep(ControlFlowNodes::ExprNode e1, ControlFlowNodes::ExprNode e2) { e1.getExpr() = LocalFlow::getALastEvalNode(e2.getExpr()) or - exists(Ssa::Definition def, AssignableDefinition adef | + exists(SsaDefinition def, AssignableDefinition adef | LocalFlow::defAssigns(adef, _, _, e1) and def.getAnUltimateDefinition().(Ssa::ExplicitDefinition).getADefinition() = adef and def.getARead().getControlFlowNode() = e2 @@ -2016,7 +2016,7 @@ private class FieldOrPropertyRead extends FieldOrPropertyAccess, AssignableRead * SSA updates. */ predicate hasNonlocalValue() { - exists(Ssa::Definition def, Ssa::ImplicitDefinition idef | + exists(SsaDefinition def, Ssa::ImplicitDefinition idef | def.getARead() = this and idef = def.getAnUltimateDefinition() | diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll index 0c2ecf96b8f2..a4d788001a7e 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll @@ -915,9 +915,9 @@ private module Cached { } cached - predicate isLiveOutRefParameterDefinition(Ssa::Definition def, Parameter p) { + predicate isLiveOutRefParameterDefinition(SsaDefinition def, Parameter p) { p.isOutOrRef() and - exists(Ssa::SourceVariable v, Ssa::Definition def0, BasicBlock bb, int i | + exists(Ssa::SourceVariable v, SsaDefinition def0, BasicBlock bb, int i | v = def.getSourceVariable() and p = v.getAssignable() and def = def0.getAnUltimateDefinition() and diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/RangeUtils.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/RangeUtils.qll index e53e3a44276d..fafb85440a27 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/RangeUtils.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/RangeUtils.qll @@ -106,7 +106,7 @@ private module Impl { * - `isEq = true` : `def == e + delta` * - `isEq = false` : `def != e + delta` */ - Guard eqFlowCond(Definition def, ExprNode e, int delta, boolean isEq, boolean testIsTrue) { + Guard eqFlowCond(SsaDefinition def, ExprNode e, int delta, boolean isEq, boolean testIsTrue) { exists(boolean eqpolarity | result.isEquality(ssaRead(def, delta), e, eqpolarity) and testIsTrue = [false, true] and diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SignAnalysisSpecific.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SignAnalysisSpecific.qll index 96245e460c71..55b3ac31aa3e 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SignAnalysisSpecific.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SignAnalysisSpecific.qll @@ -13,7 +13,7 @@ module Private { class ConstantIntegerExpr = CU::ConstantIntegerExpr; - class SsaVariable = CS::Ssa::Definition; + class SsaVariable = CS::SsaDefinition; class SsaPhiNode = CS::Ssa::PhiNode; @@ -245,7 +245,7 @@ private module Impl { ) } - ExprNode getARead(Ssa::Definition v) { v.getARead().getControlFlowNode() = result } + ExprNode getARead(SsaDefinition v) { v.getARead().getControlFlowNode() = result } Field getField(ExprNode fa) { result = fa.getExpr().(FieldAccess).getTarget() } diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaReadPositionSpecific.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaReadPositionSpecific.qll index 6da6ec8b11e6..18c843c0472c 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaReadPositionSpecific.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaReadPositionSpecific.qll @@ -5,7 +5,7 @@ private import csharp as CS private import SsaReadPositionCommon -class SsaVariable = CS::Ssa::Definition; +class SsaVariable = CS::SsaDefinition; class SsaPhiNode = CS::Ssa::PhiNode; diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaUtils.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaUtils.qll index 9ff12625a060..5681976a378c 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaUtils.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaUtils.qll @@ -10,7 +10,7 @@ private import ConstantUtils private class ExprNode = ControlFlowNodes::ExprNode; /** An SSA variable. */ -class SsaVariable extends Definition { +class SsaVariable extends SsaDefinition { /** Gets a read of this SSA variable. */ ExprNode getAUse() { this.getARead().getControlFlowNode() = result } } @@ -26,7 +26,7 @@ ExprNode getAnExplicitDefinitionRead(ExprNode src) { /** * Gets an expression that equals `v - delta`. */ -ExprNode ssaRead(Definition v, int delta) { +ExprNode ssaRead(SsaDefinition v, int delta) { v.getARead().getControlFlowNode() = result and delta = 0 or exists(ExprNode::AddOperation add, int d1, ConstantIntegerExpr c | diff --git a/csharp/ql/src/Bad Practices/Control-Flow/ConstantCondition.ql b/csharp/ql/src/Bad Practices/Control-Flow/ConstantCondition.ql index 8e36f4f1ad1b..295bdba1f7af 100644 --- a/csharp/ql/src/Bad Practices/Control-Flow/ConstantCondition.ql +++ b/csharp/ql/src/Bad Practices/Control-Flow/ConstantCondition.ql @@ -20,7 +20,7 @@ import semmle.code.csharp.controlflow.Guards as Guards import codeql.controlflow.queries.ConstantCondition as ConstCond module ConstCondInput implements ConstCond::InputSig { - class SsaDefinition = Ssa::Definition; + class SsaDefinition = Ssa::SsaDefinition; class GuardValue = Guards::GuardValue; diff --git a/csharp/ql/src/Likely Bugs/Dynamic/BadDynamicCall.ql b/csharp/ql/src/Likely Bugs/Dynamic/BadDynamicCall.ql index 75f152b38de1..4d68f6ee6282 100644 --- a/csharp/ql/src/Likely Bugs/Dynamic/BadDynamicCall.ql +++ b/csharp/ql/src/Likely Bugs/Dynamic/BadDynamicCall.ql @@ -36,7 +36,7 @@ abstract class BadDynamicCall extends DynamicExpr { } private Type possibleTypeForRelevantSource(Variable v, int i, Expr source) { - exists(AssignableRead read, Ssa::Definition ssaDef, Ssa::ExplicitDefinition ultimateSsaDef | + exists(AssignableRead read, SsaDefinition ssaDef, Ssa::ExplicitDefinition ultimateSsaDef | read = this.getARelevantVariableAccess(i) and v = read.getTarget() and result = source.getType() and diff --git a/csharp/ql/test/library-tests/csharp7/DefUse.ql b/csharp/ql/test/library-tests/csharp7/DefUse.ql index 5957c0092604..e696307be28c 100644 --- a/csharp/ql/test/library-tests/csharp7/DefUse.ql +++ b/csharp/ql/test/library-tests/csharp7/DefUse.ql @@ -1,6 +1,6 @@ import csharp -from AssignableDefinition def, AssignableRead read, Ssa::Definition ult, Ssa::Definition ssaDef +from AssignableDefinition def, AssignableRead read, SsaDefinition ult, SsaDefinition ssaDef where ssaDef.getAnUltimateDefinition() = ult and ( diff --git a/csharp/ql/test/library-tests/dataflow/defuse/defUseEquivalence.ql b/csharp/ql/test/library-tests/dataflow/defuse/defUseEquivalence.ql index c69890be8c35..800ae9717598 100644 --- a/csharp/ql/test/library-tests/dataflow/defuse/defUseEquivalence.ql +++ b/csharp/ql/test/library-tests/dataflow/defuse/defUseEquivalence.ql @@ -29,7 +29,7 @@ predicate defUsePair(AssignableDefinition def, AssignableRead read) { } private LocalScopeVariableRead getAReachableUncertainRead(AssignableDefinition def) { - exists(Ssa::Definition ssaDef | + exists(SsaDefinition ssaDef | def = ssaDef.getAnUltimateDefinition().(Ssa::ExplicitDefinition).getADefinition() | result = ssaDef.getARead() diff --git a/csharp/ql/test/library-tests/dataflow/defuse/parameterUseEquivalence.ql b/csharp/ql/test/library-tests/dataflow/defuse/parameterUseEquivalence.ql index 896092718a0e..10b916ab3f41 100644 --- a/csharp/ql/test/library-tests/dataflow/defuse/parameterUseEquivalence.ql +++ b/csharp/ql/test/library-tests/dataflow/defuse/parameterUseEquivalence.ql @@ -23,7 +23,7 @@ predicate parameterUsePair(Parameter p, AssignableRead read) { private LocalScopeVariableRead getAReachableUncertainRead( AssignableDefinitions::ImplicitParameterDefinition p ) { - exists(Ssa::Definition ssaDef | + exists(SsaDefinition ssaDef | p.getParameter() = ssaDef.getAnUltimateDefinition().(Ssa::ParameterDefinition).getParameter() | result = ssaDef.getARead() diff --git a/csharp/ql/test/library-tests/dataflow/defuse/useUseEquivalence.ql b/csharp/ql/test/library-tests/dataflow/defuse/useUseEquivalence.ql index b6610aa25542..986707c018dd 100644 --- a/csharp/ql/test/library-tests/dataflow/defuse/useUseEquivalence.ql +++ b/csharp/ql/test/library-tests/dataflow/defuse/useUseEquivalence.ql @@ -25,14 +25,14 @@ predicate useUsePair(LocalScopeVariableRead read1, LocalScopeVariableRead read2) private newtype TLocalScopeVariableReadOrSsaDef = TLocalScopeVariableRead(LocalScopeVariableRead read) or - TSsaDefinition(Ssa::Definition ssaDef) + TSsaDefinition(SsaDefinition ssaDef) private TLocalScopeVariableReadOrSsaDef getANextReadOrDef(TLocalScopeVariableReadOrSsaDef prev) { exists(LocalScopeVariableRead read | prev = TLocalScopeVariableRead(read) | result = TLocalScopeVariableRead(read.getANextRead()) or not exists(read.getANextRead()) and - exists(Ssa::Definition ssaDef, Ssa::PhiNode phi, BasicBlock bb | + exists(SsaDefinition ssaDef, Ssa::PhiNode phi, BasicBlock bb | ssaDef.getARead() = read and phi.getAnInput() = ssaDef and phi.definesAt(_, bb, _) and @@ -41,7 +41,7 @@ private TLocalScopeVariableReadOrSsaDef getANextReadOrDef(TLocalScopeVariableRea ) ) or - exists(Ssa::Definition ssaDef | prev = TSsaDefinition(ssaDef) | + exists(SsaDefinition ssaDef | prev = TSsaDefinition(ssaDef) | result = TLocalScopeVariableRead(Ssa::ssaGetAFirstUse(ssaDef)) or not exists(Ssa::ssaGetAFirstUse(ssaDef)) and diff --git a/csharp/ql/test/library-tests/dataflow/ssa/SSAPhi.ql b/csharp/ql/test/library-tests/dataflow/ssa/SSAPhi.ql index 90726a62880f..db24031365a4 100644 --- a/csharp/ql/test/library-tests/dataflow/ssa/SSAPhi.ql +++ b/csharp/ql/test/library-tests/dataflow/ssa/SSAPhi.ql @@ -1,6 +1,6 @@ import csharp -from Ssa::SourceVariable v, Ssa::PhiNode phi, Ssa::Definition input +from Ssa::SourceVariable v, Ssa::PhiNode phi, SsaDefinition input where phi.getAnInput() = input and v = phi.getSourceVariable() diff --git a/csharp/ql/test/library-tests/dataflow/ssa/SsaDef.ql b/csharp/ql/test/library-tests/dataflow/ssa/SsaDef.ql index 5c9205fd68b7..87c4f53a56b9 100644 --- a/csharp/ql/test/library-tests/dataflow/ssa/SsaDef.ql +++ b/csharp/ql/test/library-tests/dataflow/ssa/SsaDef.ql @@ -1,5 +1,5 @@ import csharp -from Ssa::SourceVariable v, Ssa::Definition def +from Ssa::SourceVariable v, SsaDefinition def where v = def.getSourceVariable() select v, def diff --git a/csharp/ql/test/library-tests/dataflow/ssa/SsaRead.ql b/csharp/ql/test/library-tests/dataflow/ssa/SsaRead.ql index 44e4cdc23d0a..1cc573d32771 100644 --- a/csharp/ql/test/library-tests/dataflow/ssa/SsaRead.ql +++ b/csharp/ql/test/library-tests/dataflow/ssa/SsaRead.ql @@ -1,6 +1,6 @@ import csharp -from Ssa::SourceVariable v, Ssa::Definition def, AssignableRead read +from Ssa::SourceVariable v, SsaDefinition def, AssignableRead read where read = def.getARead() and v = def.getSourceVariable() diff --git a/csharp/ql/test/library-tests/dataflow/ssa/SsaUltimateDef.ql b/csharp/ql/test/library-tests/dataflow/ssa/SsaUltimateDef.ql index 5d47aeb4b2c7..df565c0edc03 100644 --- a/csharp/ql/test/library-tests/dataflow/ssa/SsaUltimateDef.ql +++ b/csharp/ql/test/library-tests/dataflow/ssa/SsaUltimateDef.ql @@ -1,6 +1,6 @@ import csharp -from Ssa::SourceVariable v, Ssa::Definition def, Ssa::Definition u +from Ssa::SourceVariable v, SsaDefinition def, SsaDefinition u where u = def.getAnUltimateDefinition() and v = def.getSourceVariable() From 9345c44e0f41624750a8d516441d0918d3ba3e9b Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Thu, 23 Apr 2026 16:23:21 +0200 Subject: [PATCH 08/22] C#: Delete test for Definition.getElement. --- .../dataflow/ssa/SsaDefElement.expected | 277 ------------------ .../dataflow/ssa/SsaDefElement.ql | 4 - 2 files changed, 281 deletions(-) delete mode 100644 csharp/ql/test/library-tests/dataflow/ssa/SsaDefElement.expected delete mode 100644 csharp/ql/test/library-tests/dataflow/ssa/SsaDefElement.ql diff --git a/csharp/ql/test/library-tests/dataflow/ssa/SsaDefElement.expected b/csharp/ql/test/library-tests/dataflow/ssa/SsaDefElement.expected deleted file mode 100644 index b6e2beaae692..000000000000 --- a/csharp/ql/test/library-tests/dataflow/ssa/SsaDefElement.expected +++ /dev/null @@ -1,277 +0,0 @@ -| Capture.cs:10:16:27:9 | SSA def(a) | Capture.cs:10:16:27:9 | Action a = ... | -| Capture.cs:17:17:17:21 | SSA def(y) | Capture.cs:17:17:17:21 | Int32 y = ... | -| Capture.cs:19:20:23:13 | SSA def(b) | Capture.cs:19:20:23:13 | Action b = ... | -| Capture.cs:19:24:23:13 | SSA capture def(y) | Capture.cs:19:24:23:13 | (...) => ... | -| Capture.cs:30:16:30:35 | SSA def(c) | Capture.cs:30:16:30:35 | Action c = ... | -| Capture.cs:52:16:52:43 | SSA def(b) | Capture.cs:52:16:52:43 | Action b = ... | -| Capture.cs:57:57:57:63 | SSA param(strings) | Capture.cs:57:57:57:63 | strings | -| Capture.cs:60:27:60:38 | SSA def(e) | Capture.cs:60:27:60:38 | Func e = ... | -| Capture.cs:65:45:65:51 | SSA param(strings) | Capture.cs:65:45:65:51 | strings | -| Capture.cs:68:32:68:32 | SSA param(s) | Capture.cs:68:32:68:32 | s | -| Capture.cs:68:32:68:49 | SSA capture def(c) | Capture.cs:68:32:68:49 | (...) => ... | -| Capture.cs:69:9:69:62 | SSA capture def(c) | Capture.cs:69:9:69:62 | M | -| Capture.cs:69:25:69:25 | SSA param(s) | Capture.cs:69:25:69:25 | s | -| Capture.cs:73:67:73:73 | SSA param(strings) | Capture.cs:73:67:73:73 | strings | -| Capture.cs:76:63:76:81 | SSA def(e) | Capture.cs:76:63:76:81 | Expression> e = ... | -| Capture.cs:81:28:81:28 | SSA param(i) | Capture.cs:81:28:81:28 | i | -| Capture.cs:81:34:81:36 | SSA def(i) | Capture.cs:81:34:81:36 | ...++ | -| Capture.cs:83:65:83:71 | SSA param(strings) | Capture.cs:83:65:83:71 | strings | -| Capture.cs:86:64:86:73 | SSA def(e) | Capture.cs:86:64:86:73 | Expression> e = ... | -| Capture.cs:86:68:86:73 | SSA capture def(b) | Capture.cs:86:68:86:73 | (...) => ... | -| Capture.cs:92:18:92:18 | SSA param(d) | Capture.cs:92:18:92:18 | d | -| Capture.cs:96:12:100:9 | SSA capture def(y) | Capture.cs:96:12:100:9 | (...) => ... | -| Capture.cs:98:17:98:21 | SSA def(x) | Capture.cs:98:17:98:21 | Int32 x = ... | -| Capture.cs:115:9:119:9 | SSA capture def(a) | Capture.cs:115:9:119:9 | M1 | -| Capture.cs:117:17:117:21 | SSA def(x) | Capture.cs:117:17:117:21 | Int32 x = ... | -| Capture.cs:163:9:166:9 | SSA capture def(g) | Capture.cs:163:9:166:9 | M7 | -| Capture.cs:183:13:186:13 | SSA capture def(i) | Capture.cs:183:13:186:13 | M11 | -| Capture.cs:198:28:198:44 | SSA def(eh) | Capture.cs:198:28:198:44 | MyEventHandler eh = ... | -| Capture.cs:198:33:198:44 | SSA capture def(i) | Capture.cs:198:33:198:44 | (...) => ... | -| Capture.cs:203:28:203:45 | SSA def(eh2) | Capture.cs:203:28:203:45 | MyEventHandler eh2 = ... | -| Capture.cs:203:34:203:45 | SSA capture def(i) | Capture.cs:203:34:203:45 | (...) => ... | -| Capture.cs:210:24:210:59 | SSA def(p) | Capture.cs:210:24:210:59 | Process p = ... | -| Capture.cs:212:30:212:71 | SSA def(exited) | Capture.cs:212:30:212:71 | EventHandler exited = ... | -| Capture.cs:212:39:212:71 | SSA capture def(i) | Capture.cs:212:39:212:71 | (...) => ... | -| Capture.cs:251:13:251:17 | SSA def(j) | Capture.cs:251:13:251:17 | ... = ... | -| Consistency.cs:7:25:7:25 | SSA param(b) | Consistency.cs:7:25:7:25 | b | -| Consistency.cs:15:17:15:21 | SSA def(i) | Consistency.cs:15:17:15:21 | Int32 i = ... | -| Consistency.cs:25:29:25:29 | SSA def(c) | Consistency.cs:25:9:25:30 | call to method Out | -| Consistency.cs:25:29:25:29 | SSA qualifier def(c.Field) | Consistency.cs:25:9:25:30 | call to method Out | -| Consistency.cs:32:9:32:29 | SSA def(c) | Consistency.cs:32:9:32:29 | ... = ... | -| Consistency.cs:44:11:44:11 | SSA def(s) | Consistency.cs:44:11:44:11 | S s | -| Consistency.cs:49:30:49:30 | SSA param(a) | Consistency.cs:49:30:49:30 | a | -| Consistency.cs:49:37:49:37 | SSA param(i) | Consistency.cs:49:37:49:37 | i | -| Consistency.cs:51:20:51:20 | SSA param(a) | Consistency.cs:51:20:51:20 | a | -| Consistency.cs:56:17:56:40 | SSA def(k) | Consistency.cs:56:17:56:40 | Int32 k = ... | -| Consistency.cs:57:9:57:13 | SSA def(k) | Consistency.cs:57:9:57:13 | ... = ... | -| Consistency.cs:58:9:58:13 | SSA def(k) | Consistency.cs:58:9:58:13 | ... = ... | -| DefUse.cs:3:26:3:26 | SSA param(w) | DefUse.cs:3:26:3:26 | w | -| DefUse.cs:5:13:5:17 | SSA def(x) | DefUse.cs:5:13:5:17 | Int32 x = ... | -| DefUse.cs:6:14:6:19 | SSA def(y) | DefUse.cs:6:14:6:19 | Int64 y = ... | -| DefUse.cs:13:13:13:18 | SSA def(y) | DefUse.cs:13:13:13:18 | ... = ... | -| DefUse.cs:18:13:18:18 | SSA def(y) | DefUse.cs:18:13:18:18 | ... = ... | -| DefUse.cs:19:13:19:18 | SSA def(w) | DefUse.cs:19:13:19:18 | ... = ... | -| DefUse.cs:28:13:28:18 | SSA def(y) | DefUse.cs:28:13:28:18 | ... = ... | -| DefUse.cs:29:13:29:18 | SSA def(w) | DefUse.cs:29:13:29:18 | ... = ... | -| DefUse.cs:39:13:39:18 | SSA def(y) | DefUse.cs:39:13:39:18 | ... = ... | -| DefUse.cs:44:13:44:17 | SSA def(z) | DefUse.cs:44:13:44:17 | Int32 z = ... | -| DefUse.cs:47:23:47:23 | SSA def(z) | DefUse.cs:47:9:47:24 | call to method outMethod | -| DefUse.cs:50:23:50:23 | SSA def(z) | DefUse.cs:50:9:50:24 | call to method refMethod | -| DefUse.cs:53:9:53:17 | SSA def(this.Field) | DefUse.cs:53:9:53:17 | ... = ... | -| DefUse.cs:56:9:56:16 | SSA def(this.Prop) | DefUse.cs:56:9:56:16 | ... = ... | -| DefUse.cs:63:9:63:18 | SSA def(this.Field2) | DefUse.cs:63:9:63:18 | ... = ... | -| DefUse.cs:66:9:66:18 | SSA def(this.Field3) | DefUse.cs:66:9:66:18 | ... = ... | -| DefUse.cs:67:19:67:27 | SSA def(tc) | DefUse.cs:67:19:67:27 | TestClass tc = ... | -| DefUse.cs:79:13:79:18 | SSA def(x1) | DefUse.cs:79:13:79:18 | Int32 x1 = ... | -| DefUse.cs:80:30:80:31 | SSA def(x1) | DefUse.cs:80:16:80:32 | call to method refMethod | -| DefUse.cs:83:13:83:18 | SSA def(x2) | DefUse.cs:83:13:83:18 | Int32 x2 = ... | -| DefUse.cs:85:15:85:16 | SSA def(x2) | DefUse.cs:84:9:86:17 | call to method refOutMethod | -| DefUse.cs:89:13:89:18 | SSA def(x3) | DefUse.cs:89:13:89:18 | Int32 x3 = ... | -| DefUse.cs:92:15:92:16 | SSA def(x3) | DefUse.cs:91:9:93:17 | call to method refOutMethod | -| DefUse.cs:93:15:93:16 | SSA def(x4) | DefUse.cs:91:9:93:17 | call to method refOutMethod | -| DefUse.cs:97:13:97:18 | SSA def(x5) | DefUse.cs:97:13:97:18 | Int32 x5 = ... | -| DefUse.cs:101:13:101:23 | SSA def(x5) | DefUse.cs:101:13:101:23 | ... = ... | -| DefUse.cs:104:9:104:15 | SSA def(x5) | DefUse.cs:104:9:104:15 | ... += ... | -| DefUse.cs:114:47:114:52 | SSA def(i) | DefUse.cs:114:47:114:52 | ... = ... | -| DefUse.cs:116:47:116:51 | SSA def(i) | DefUse.cs:116:47:116:51 | ... = ... | -| DefUse.cs:118:45:118:45 | SSA param(i) | DefUse.cs:118:45:118:45 | i | -| DefUse.cs:118:61:118:65 | SSA def(j) | DefUse.cs:118:61:118:65 | ... = ... | -| DefUse.cs:118:68:118:72 | SSA def(i) | DefUse.cs:118:68:118:72 | ... = ... | -| DefUse.cs:128:19:128:19 | SSA param(i) | DefUse.cs:128:19:128:19 | i | -| DefUse.cs:134:22:134:22 | SSA param(d) | DefUse.cs:134:22:134:22 | d | -| DefUse.cs:142:68:142:69 | SSA param(ie) | DefUse.cs:142:68:142:69 | ie | -| DefUse.cs:144:22:144:22 | SSA def(x) | DefUse.cs:144:22:144:22 | String x | -| DefUse.cs:155:9:155:18 | SSA def(this.Field4) | DefUse.cs:155:9:155:18 | ... = ... | -| DefUse.cs:160:10:160:16 | SSA entry def(this.Field4) | DefUse.cs:160:10:160:16 | FieldM2 | -| DefUse.cs:171:23:180:9 | SSA def(a) | DefUse.cs:171:23:180:9 | Action a = ... | -| DefUse.cs:184:9:184:18 | SSA def(this.Field5) | DefUse.cs:184:9:184:18 | ... = ... | -| DefUse.cs:186:9:190:9 | SSA def(a) | DefUse.cs:186:9:190:9 | ... = ... | -| DefUse.cs:188:13:188:22 | SSA def(this.Field5) | DefUse.cs:188:13:188:22 | ... = ... | -| DefUse.cs:191:9:191:11 | SSA call def(this.Field5) | DefUse.cs:191:9:191:11 | delegate call | -| DefaultParam.cs:3:20:3:20 | SSA param(b) | DefaultParam.cs:3:20:3:20 | b | -| DefaultParam.cs:3:30:3:30 | SSA param(s) | DefaultParam.cs:3:30:3:30 | s | -| DefaultParam.cs:3:34:3:35 | SSA param_default(s) | DefaultParam.cs:3:34:3:35 | "" | -| DefaultParam.cs:3:42:3:42 | SSA param(i) | DefaultParam.cs:3:42:3:42 | i | -| DefaultParam.cs:3:42:3:42 | SSA phi(s) | DefaultParam.cs:3:42:3:42 | i | -| DefaultParam.cs:3:46:3:46 | SSA param_default(i) | DefaultParam.cs:3:46:3:46 | 0 | -| DefaultParam.cs:4:5:6:5 | SSA phi(i) | DefaultParam.cs:4:5:6:5 | {...} | -| Example.cs:6:23:6:23 | SSA param(i) | Example.cs:6:23:6:23 | i | -| Example.cs:8:9:8:22 | SSA def(this.Field) | Example.cs:8:9:8:22 | ... = ... | -| Example.cs:11:13:11:30 | SSA def(this.Field) | Example.cs:11:13:11:30 | ... = ... | -| Example.cs:13:13:13:23 | SSA call def(this.Field) | Example.cs:13:13:13:23 | call to method SetField | -| Example.cs:18:16:18:16 | SSA param(p) | Example.cs:18:16:18:16 | p | -| Example.cs:18:24:18:24 | SSA param(b) | Example.cs:18:24:18:24 | b | -| Example.cs:23:13:23:17 | SSA def(p) | Example.cs:23:13:23:17 | ... = ... | -| Fields.cs:16:17:16:17 | SSA entry def(this.xs) | Fields.cs:16:17:16:17 | F | -| Fields.cs:19:9:19:13 | SSA call def(this.xs) | Fields.cs:19:9:19:13 | call to method Upd | -| Fields.cs:20:9:20:14 | SSA def(x) | Fields.cs:20:9:20:14 | ... = ... | -| Fields.cs:22:13:22:17 | SSA call def(this.xs) | Fields.cs:22:13:22:17 | call to method Upd | -| Fields.cs:24:9:24:23 | SSA def(this.xs) | Fields.cs:24:9:24:23 | ... = ... | -| Fields.cs:28:17:28:17 | SSA entry def(Fields.stat) | Fields.cs:28:17:28:17 | G | -| Fields.cs:28:17:28:17 | SSA entry def(this.xs) | Fields.cs:28:17:28:17 | G | -| Fields.cs:30:13:30:28 | SSA def(f) | Fields.cs:30:13:30:28 | Fields f = ... | -| Fields.cs:30:13:30:28 | SSA qualifier def(f.xs) | Fields.cs:30:13:30:28 | Fields f = ... | -| Fields.cs:30:17:30:28 | SSA call def(Fields.stat) | Fields.cs:30:17:30:28 | object creation of type Fields | -| Fields.cs:34:9:34:16 | SSA call def(Fields.stat) | Fields.cs:34:9:34:16 | call to method F | -| Fields.cs:34:9:34:16 | SSA call def(f.xs) | Fields.cs:34:9:34:16 | call to method F | -| Fields.cs:34:9:34:16 | SSA call def(this.xs) | Fields.cs:34:9:34:16 | call to method F | -| Fields.cs:38:9:38:13 | SSA call def(Fields.stat) | Fields.cs:38:9:38:13 | call to method F | -| Fields.cs:38:9:38:13 | SSA call def(f.xs) | Fields.cs:38:9:38:13 | call to method F | -| Fields.cs:38:9:38:13 | SSA call def(this.xs) | Fields.cs:38:9:38:13 | call to method F | -| Fields.cs:42:9:42:23 | SSA def(this.xs) | Fields.cs:42:9:42:23 | ... = ... | -| Fields.cs:45:9:45:25 | SSA def(f.xs) | Fields.cs:45:9:45:25 | ... = ... | -| Fields.cs:47:9:47:14 | SSA def(z) | Fields.cs:47:9:47:14 | ... = ... | -| Fields.cs:49:13:49:28 | SSA def(f) | Fields.cs:49:13:49:28 | ... = ... | -| Fields.cs:49:13:49:28 | SSA qualifier def(f.xs) | Fields.cs:49:13:49:28 | ... = ... | -| Fields.cs:49:17:49:28 | SSA call def(Fields.stat) | Fields.cs:49:17:49:28 | object creation of type Fields | -| Fields.cs:51:9:51:20 | SSA call def(Fields.stat) | Fields.cs:51:9:51:20 | object creation of type Fields | -| Fields.cs:61:17:61:17 | SSA entry def(this.LoopField) | Fields.cs:61:17:61:17 | H | -| Fields.cs:61:17:61:17 | SSA entry def(this.SingleAccessedField) | Fields.cs:61:17:61:17 | H | -| Fields.cs:74:17:74:17 | SSA entry def(this.SingleAccessedField) | Fields.cs:74:17:74:17 | I | -| Fields.cs:77:13:77:45 | SSA def(f) | Fields.cs:77:13:77:45 | Fields f = ... | -| Fields.cs:78:23:78:54 | SSA def(a) | Fields.cs:78:23:78:54 | Action a = ... | -| Fields.cs:78:27:78:54 | SSA capture def(f) | Fields.cs:78:27:78:54 | (...) => ... | -| Fields.cs:79:23:79:35 | SSA def(b) | Fields.cs:79:23:79:35 | Action b = ... | -| Fields.cs:80:9:80:25 | SSA def(f.xs) | Fields.cs:80:9:80:25 | ... = ... | -| Fields.cs:81:9:81:11 | SSA call def(f.xs) | Fields.cs:81:9:81:11 | delegate call | -| Fields.cs:83:9:83:25 | SSA def(f.xs) | Fields.cs:83:9:83:25 | ... = ... | -| Fields.cs:85:9:85:22 | SSA def(this.xs) | Fields.cs:85:9:85:22 | ... = ... | -| Fields.cs:86:9:86:47 | SSA call def(f.xs) | Fields.cs:86:9:86:47 | call to method Select | -| Fields.cs:86:24:86:46 | SSA capture def(a) | Fields.cs:86:24:86:46 | (...) => ... | -| Fields.cs:87:9:87:22 | SSA def(this.xs) | Fields.cs:87:9:87:22 | ... = ... | -| Fields.cs:88:9:88:25 | SSA def(f.xs) | Fields.cs:88:9:88:25 | ... = ... | -| Fields.cs:89:24:89:46 | SSA capture def(b) | Fields.cs:89:24:89:46 | (...) => ... | -| Fields.cs:95:19:95:19 | SSA param(f) | Fields.cs:95:19:95:19 | f | -| Fields.cs:97:9:97:30 | SSA def(f.Field) | Fields.cs:97:9:97:30 | ... = ... | -| Fields.cs:97:9:97:30 | SSA qualifier def(f.Field.Field) | Fields.cs:97:9:97:30 | ... = ... | -| Fields.cs:97:9:97:30 | SSA qualifier def(f.Field.Field.Field) | Fields.cs:97:9:97:30 | ... = ... | -| Fields.cs:97:9:97:30 | SSA qualifier def(f.Field.Field.Field.Field) | Fields.cs:97:9:97:30 | ... = ... | -| Fields.cs:102:9:102:28 | SSA def(this.Field) | Fields.cs:102:9:102:28 | ... = ... | -| Fields.cs:107:33:107:33 | SSA param(f) | Fields.cs:107:33:107:33 | f | -| Fields.cs:109:10:109:10 | SSA entry def(this.Field) | Fields.cs:109:10:109:10 | K | -| Fields.cs:114:9:114:22 | SSA call def(this.Field) | Fields.cs:114:9:114:22 | call to method SetField | -| Fields.cs:114:9:114:22 | SSA call def(this.Field.Field) | Fields.cs:114:9:114:22 | call to method SetField | -| Fields.cs:114:9:114:22 | SSA qualifier def(this.Field.Field.xs) | Fields.cs:114:9:114:22 | call to method SetField | -| MultiImplementationA.cs:5:22:5:22 | SSA param(x) | MultiImplementationA.cs:5:16:5:16 | M | -| MultiImplementationB.cs:3:22:3:22 | SSA param(x) | MultiImplementationA.cs:5:16:5:16 | M | -| OutRef.cs:7:10:7:10 | SSA entry def(this.Field) | OutRef.cs:7:10:7:10 | M | -| OutRef.cs:9:13:9:17 | SSA def(j) | OutRef.cs:9:13:9:17 | Int32 j = ... | -| OutRef.cs:10:25:10:25 | SSA def(i) | OutRef.cs:10:9:10:33 | call to method OutRefM | -| OutRef.cs:10:32:10:32 | SSA def(j) | OutRef.cs:10:9:10:33 | call to method OutRefM | -| OutRef.cs:13:21:13:21 | SSA def(i) | OutRef.cs:13:9:13:33 | call to method OutRefM | -| OutRef.cs:13:28:13:32 | SSA def(this.Field) | OutRef.cs:13:9:13:33 | call to method OutRefM | -| OutRef.cs:16:21:16:25 | SSA def(this.Field) | OutRef.cs:16:9:16:37 | call to method OutRefM | -| OutRef.cs:18:13:18:28 | SSA def(t) | OutRef.cs:18:13:18:28 | OutRef t = ... | -| OutRef.cs:18:13:18:28 | SSA qualifier def(t.Field) | OutRef.cs:18:13:18:28 | OutRef t = ... | -| OutRef.cs:19:21:19:25 | SSA def(this.Field) | OutRef.cs:19:9:19:39 | call to method OutRefM | -| OutRef.cs:19:32:19:38 | SSA def(t.Field) | OutRef.cs:19:9:19:39 | call to method OutRefM | -| OutRef.cs:22:22:22:22 | SSA def(j) | OutRef.cs:22:9:22:30 | call to method OutRefM2 | -| OutRef.cs:24:29:24:29 | SSA def(j) | OutRef.cs:24:9:24:30 | call to method OutRefM3 | -| OutRef.cs:28:37:28:37 | SSA param(j) | OutRef.cs:28:37:28:37 | j | -| OutRef.cs:30:9:30:13 | SSA def(i) | OutRef.cs:30:9:30:13 | ... = ... | -| OutRef.cs:31:9:31:13 | SSA def(j) | OutRef.cs:31:9:31:13 | ... = ... | -| OutRef.cs:34:38:34:38 | SSA param(j) | OutRef.cs:34:38:34:38 | j | -| OutRef.cs:36:9:36:13 | SSA def(i) | OutRef.cs:36:9:36:13 | ... = ... | -| OutRef.cs:39:24:39:24 | SSA param(b) | OutRef.cs:39:24:39:24 | b | -| OutRef.cs:39:35:39:35 | SSA param(j) | OutRef.cs:39:35:39:35 | j | -| OutRef.cs:42:13:42:17 | SSA def(j) | OutRef.cs:42:13:42:17 | ... = ... | -| Patterns.cs:7:16:7:23 | SSA def(o) | Patterns.cs:7:16:7:23 | Object o = ... | -| Patterns.cs:8:18:8:23 | SSA def(i1) | Patterns.cs:8:18:8:23 | Int32 i1 | -| Patterns.cs:12:23:12:31 | SSA def(s1) | Patterns.cs:12:23:12:31 | String s1 | -| Patterns.cs:24:18:24:23 | SSA def(i2) | Patterns.cs:24:18:24:23 | Int32 i2 | -| Patterns.cs:27:18:27:23 | SSA def(i3) | Patterns.cs:27:18:27:23 | Int32 i3 | -| Patterns.cs:30:18:30:26 | SSA def(s2) | Patterns.cs:30:18:30:26 | String s2 | -| Properties.cs:16:17:16:17 | SSA entry def(this.xs) | Properties.cs:16:17:16:17 | F | -| Properties.cs:19:9:19:13 | SSA call def(this.xs) | Properties.cs:19:9:19:13 | call to method Upd | -| Properties.cs:20:9:20:14 | SSA def(x) | Properties.cs:20:9:20:14 | ... = ... | -| Properties.cs:22:13:22:17 | SSA call def(this.xs) | Properties.cs:22:13:22:17 | call to method Upd | -| Properties.cs:24:9:24:23 | SSA def(this.xs) | Properties.cs:24:9:24:23 | ... = ... | -| Properties.cs:28:17:28:17 | SSA entry def(Properties.stat) | Properties.cs:28:17:28:17 | G | -| Properties.cs:28:17:28:17 | SSA entry def(this.xs) | Properties.cs:28:17:28:17 | G | -| Properties.cs:30:13:30:32 | SSA def(f) | Properties.cs:30:13:30:32 | Properties f = ... | -| Properties.cs:30:13:30:32 | SSA qualifier def(f.xs) | Properties.cs:30:13:30:32 | Properties f = ... | -| Properties.cs:30:17:30:32 | SSA call def(Properties.stat) | Properties.cs:30:17:30:32 | object creation of type Properties | -| Properties.cs:34:9:34:16 | SSA call def(Properties.stat) | Properties.cs:34:9:34:16 | call to method F | -| Properties.cs:34:9:34:16 | SSA call def(f.xs) | Properties.cs:34:9:34:16 | call to method F | -| Properties.cs:34:9:34:16 | SSA call def(this.xs) | Properties.cs:34:9:34:16 | call to method F | -| Properties.cs:38:9:38:13 | SSA call def(Properties.stat) | Properties.cs:38:9:38:13 | call to method F | -| Properties.cs:38:9:38:13 | SSA call def(f.xs) | Properties.cs:38:9:38:13 | call to method F | -| Properties.cs:38:9:38:13 | SSA call def(this.xs) | Properties.cs:38:9:38:13 | call to method F | -| Properties.cs:42:9:42:23 | SSA def(this.xs) | Properties.cs:42:9:42:23 | ... = ... | -| Properties.cs:45:9:45:25 | SSA def(f.xs) | Properties.cs:45:9:45:25 | ... = ... | -| Properties.cs:47:9:47:14 | SSA def(z) | Properties.cs:47:9:47:14 | ... = ... | -| Properties.cs:49:13:49:32 | SSA def(f) | Properties.cs:49:13:49:32 | ... = ... | -| Properties.cs:49:13:49:32 | SSA qualifier def(f.xs) | Properties.cs:49:13:49:32 | ... = ... | -| Properties.cs:49:17:49:32 | SSA call def(Properties.stat) | Properties.cs:49:17:49:32 | object creation of type Properties | -| Properties.cs:51:9:51:24 | SSA call def(Properties.stat) | Properties.cs:51:9:51:24 | object creation of type Properties | -| Properties.cs:61:17:61:17 | SSA entry def(this.LoopProp) | Properties.cs:61:17:61:17 | H | -| Properties.cs:61:17:61:17 | SSA entry def(this.SingleAccessedProp) | Properties.cs:61:17:61:17 | H | -| Properties.cs:61:23:61:23 | SSA param(i) | Properties.cs:61:23:61:23 | i | -| Properties.cs:63:16:63:18 | SSA def(i) | Properties.cs:63:16:63:18 | ...-- | -| Properties.cs:70:17:70:17 | SSA entry def(this.SingleAccessedProp) | Properties.cs:70:17:70:17 | I | -| Properties.cs:73:13:73:32 | SSA def(f) | Properties.cs:73:13:73:32 | Properties f = ... | -| Properties.cs:74:23:74:54 | SSA def(a) | Properties.cs:74:23:74:54 | Action a = ... | -| Properties.cs:74:27:74:54 | SSA capture def(f) | Properties.cs:74:27:74:54 | (...) => ... | -| Properties.cs:75:23:75:35 | SSA def(b) | Properties.cs:75:23:75:35 | Action b = ... | -| Properties.cs:76:9:76:25 | SSA def(f.xs) | Properties.cs:76:9:76:25 | ... = ... | -| Properties.cs:77:9:77:11 | SSA call def(f.xs) | Properties.cs:77:9:77:11 | delegate call | -| Properties.cs:79:9:79:25 | SSA def(f.xs) | Properties.cs:79:9:79:25 | ... = ... | -| Properties.cs:81:9:81:22 | SSA def(this.xs) | Properties.cs:81:9:81:22 | ... = ... | -| Properties.cs:82:9:82:47 | SSA call def(f.xs) | Properties.cs:82:9:82:47 | call to method Select | -| Properties.cs:82:24:82:46 | SSA capture def(a) | Properties.cs:82:24:82:46 | (...) => ... | -| Properties.cs:83:9:83:22 | SSA def(this.xs) | Properties.cs:83:9:83:22 | ... = ... | -| Properties.cs:84:9:84:25 | SSA def(f.xs) | Properties.cs:84:9:84:25 | ... = ... | -| Properties.cs:85:24:85:46 | SSA capture def(b) | Properties.cs:85:24:85:46 | (...) => ... | -| Properties.cs:106:37:106:37 | SSA param(p) | Properties.cs:106:37:106:37 | p | -| Properties.cs:108:10:108:10 | SSA entry def(this.Props) | Properties.cs:108:10:108:10 | K | -| Properties.cs:113:9:113:22 | SSA call def(this.Props) | Properties.cs:113:9:113:22 | call to method SetProps | -| Properties.cs:113:9:113:22 | SSA call def(this.Props.Props) | Properties.cs:113:9:113:22 | call to method SetProps | -| Properties.cs:113:9:113:22 | SSA qualifier def(this.Props.Props.xs) | Properties.cs:113:9:113:22 | call to method SetProps | -| Test.cs:5:15:5:20 | SSA param(param1) | Test.cs:5:15:5:20 | param1 | -| Test.cs:5:67:5:72 | SSA param(param2) | Test.cs:5:67:5:72 | param2 | -| Test.cs:7:9:7:17 | SSA def(this.field) | Test.cs:7:9:7:17 | ... = ... | -| Test.cs:8:13:8:17 | SSA def(x) | Test.cs:8:13:8:17 | Int32 x = ... | -| Test.cs:13:13:13:15 | SSA def(x) | Test.cs:13:13:13:15 | ...++ | -| Test.cs:14:13:14:19 | SSA def(y) | Test.cs:14:13:14:19 | ... = ... | -| Test.cs:14:17:14:19 | SSA def(x) | Test.cs:14:17:14:19 | ++... | -| Test.cs:15:13:15:17 | SSA def(z) | Test.cs:15:13:15:17 | ... = ... | -| Test.cs:19:13:19:17 | SSA def(y) | Test.cs:19:13:19:17 | ... = ... | -| Test.cs:20:13:20:18 | SSA def(y) | Test.cs:20:13:20:18 | ... += ... | -| Test.cs:21:13:21:22 | SSA def(this.field) | Test.cs:21:13:21:22 | ... = ... | -| Test.cs:22:13:22:17 | SSA def(z) | Test.cs:22:13:22:17 | ... = ... | -| Test.cs:27:17:27:24 | SSA def(param1) | Test.cs:27:17:27:24 | ...++ | -| Test.cs:31:13:31:18 | SSA def(y) | Test.cs:31:13:31:18 | ... -= ... | -| Test.cs:34:18:34:22 | SSA def(i) | Test.cs:34:18:34:22 | Int32 i = ... | -| Test.cs:34:33:34:35 | SSA def(i) | Test.cs:34:33:34:35 | ...++ | -| Test.cs:36:13:36:18 | SSA def(x) | Test.cs:36:13:36:18 | ... += ... | -| Test.cs:39:22:39:22 | SSA def(w) | Test.cs:39:22:39:22 | Int32 w | -| Test.cs:39:22:39:22 | SSA phi(param1) | Test.cs:39:22:39:22 | Int32 w | -| Test.cs:41:13:41:23 | SSA def(param1) | Test.cs:41:13:41:23 | ... += ... | -| Test.cs:46:10:46:10 | SSA entry def(this.field) | Test.cs:46:10:46:10 | g | -| Test.cs:46:16:46:18 | SSA param(in) | Test.cs:46:16:46:18 | in | -| Test.cs:50:13:50:20 | SSA def(out) | Test.cs:50:13:50:20 | ... = ... | -| Test.cs:54:13:54:20 | SSA def(out) | Test.cs:54:13:54:20 | ... = ... | -| Test.cs:57:9:57:17 | SSA def(this.field) | Test.cs:57:9:57:17 | ... = ... | -| Test.cs:62:16:62:16 | SSA param(x) | Test.cs:62:16:62:16 | x | -| Test.cs:68:45:68:45 | SSA def(e) | Test.cs:68:45:68:45 | DivideByZeroException e | -| Test.cs:76:24:76:25 | SSA param(b1) | Test.cs:76:24:76:25 | b1 | -| Test.cs:76:33:76:34 | SSA param(b2) | Test.cs:76:33:76:34 | b2 | -| Test.cs:76:42:76:43 | SSA param(b3) | Test.cs:76:42:76:43 | b3 | -| Test.cs:76:51:76:52 | SSA param(b4) | Test.cs:76:51:76:52 | b4 | -| Test.cs:76:60:76:61 | SSA param(b5) | Test.cs:76:60:76:61 | b5 | -| Test.cs:76:69:76:70 | SSA param(b6) | Test.cs:76:69:76:70 | b6 | -| Test.cs:78:13:78:17 | SSA def(x) | Test.cs:78:13:78:17 | Int32 x = ... | -| Test.cs:108:13:108:17 | SSA def(x) | Test.cs:108:13:108:17 | ... = ... | -| Tuples.cs:10:9:10:54 | SSA def(b) | Tuples.cs:10:9:10:54 | ... = ... | -| Tuples.cs:10:9:10:54 | SSA def(s) | Tuples.cs:10:9:10:54 | ... = ... | -| Tuples.cs:10:9:10:54 | SSA def(x) | Tuples.cs:10:9:10:54 | ... = ... | -| Tuples.cs:14:9:14:32 | SSA def(b) | Tuples.cs:14:9:14:32 | ... = ... | -| Tuples.cs:14:9:14:32 | SSA def(s) | Tuples.cs:14:9:14:32 | ... = ... | -| Tuples.cs:14:9:14:32 | SSA def(x) | Tuples.cs:14:9:14:32 | ... = ... | -| Tuples.cs:18:40:18:57 | SSA def(tuple) | Tuples.cs:18:40:18:57 | (Int32,(Boolean,String)) tuple = ... | -| Tuples.cs:20:9:20:34 | SSA def(this.Field) | Tuples.cs:20:9:20:34 | ... = ... | -| Tuples.cs:20:9:20:34 | SSA def(this.Property) | Tuples.cs:20:9:20:34 | ... = ... | -| Tuples.cs:23:9:23:37 | SSA def(x) | Tuples.cs:23:9:23:37 | ... = ... | -| Tuples.cs:25:13:25:28 | SSA def(t) | Tuples.cs:25:13:25:28 | Tuples t = ... | -| Tuples.cs:26:9:26:33 | SSA def(t.Field) | Tuples.cs:26:9:26:33 | ... = ... | -| Tuples.cs:26:9:26:33 | SSA def(this.Field) | Tuples.cs:26:9:26:33 | ... = ... | diff --git a/csharp/ql/test/library-tests/dataflow/ssa/SsaDefElement.ql b/csharp/ql/test/library-tests/dataflow/ssa/SsaDefElement.ql deleted file mode 100644 index e404aee77679..000000000000 --- a/csharp/ql/test/library-tests/dataflow/ssa/SsaDefElement.ql +++ /dev/null @@ -1,4 +0,0 @@ -import csharp - -from Ssa::Definition def -select def, def.getElement() From ed6cdfc227f37e6b34d755699ca01aed1ce031d2 Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Fri, 24 Apr 2026 08:47:36 +0200 Subject: [PATCH 09/22] C#: Move isLiveOutRefParameterDefinition to top-level. --- csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll | 6 +++++- .../code/csharp/dataflow/internal/DataFlowPrivate.qll | 4 ++-- .../ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll | 4 ++++ .../library-tests/dataflow/callablereturnsarg/Common.qll | 2 +- .../dataflow/ssa/IsLiveOutRefParameterDefinition.ql | 4 ++-- 5 files changed, 14 insertions(+), 6 deletions(-) diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll index 7d8809a700cf..53866c77004d 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll @@ -190,6 +190,8 @@ module Ssa { ) } + predicate isLiveOutRefParameterDefinition = SsaImpl::isLiveOutRefParameterDefinition/2; + /** * A static single assignment (SSA) definition. Either an explicit variable * definition (`ExplicitDefinition`), an implicit variable definition @@ -408,10 +410,12 @@ module Ssa { } /** + * DEPRECATED: Use `isLiveOutRefParameterDefinition(SsaDefinition, Parameter)` instead. + * * Holds if this SSA definition assigns to `out`/`ref` parameter `p`, and the * parameter may remain unchanged throughout the rest of the enclosing callable. */ - final predicate isLiveOutRefParameterDefinition(Parameter p) { + deprecated final predicate isLiveOutRefParameterDefinition(Parameter p) { SsaImpl::isLiveOutRefParameterDefinition(this, p) } diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll index b6a6d3988740..0f553b6e0361 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll @@ -1244,7 +1244,7 @@ class SsaNode extends NodeImpl, TSsaNode { class SsaDefinitionNode extends SsaNode { override SsaImpl::DataFlowIntegration::SsaDefinitionNode node; - Ssa::Definition getDefinition() { result = node.getDefinition() } + SsaDefinition getDefinition() { result = node.getDefinition() } override ControlFlowNode getControlFlowNodeImpl() { result = this.getDefinition().getControlFlowNode() @@ -1613,7 +1613,7 @@ private module ReturnNodes { OutRefReturnNode() { exists(Parameter p | - this.getDefinition().isLiveOutRefParameterDefinition(p) and + Ssa::isLiveOutRefParameterDefinition(this.getDefinition(), p) and kind.getPosition() = p.getPosition() | p.isOut() and kind instanceof OutReturnKind diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll index a4d788001a7e..6966152475bc 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll @@ -914,6 +914,10 @@ private module Cached { Impl::uncertainWriteDefinitionInput(def, result) } + /** + * Holds if the SSA definition `def` assigns to `out`/`ref` parameter `p`, and the + * parameter may remain unchanged throughout the rest of the enclosing callable. + */ cached predicate isLiveOutRefParameterDefinition(SsaDefinition def, Parameter p) { p.isOutOrRef() and diff --git a/csharp/ql/test/library-tests/dataflow/callablereturnsarg/Common.qll b/csharp/ql/test/library-tests/dataflow/callablereturnsarg/Common.qll index 3a3a55e42ccc..95a93e24a2ae 100644 --- a/csharp/ql/test/library-tests/dataflow/callablereturnsarg/Common.qll +++ b/csharp/ql/test/library-tests/dataflow/callablereturnsarg/Common.qll @@ -5,7 +5,7 @@ private predicate outRefDef(DataFlow::ExprNode ne, int outRef) { exists(Ssa::ExplicitDefinition def, Parameter outRefParameter | outRefParameter.isOutOrRef() and ne.getExpr() = def.getADefinition().getSource() and - def.isLiveOutRefParameterDefinition(outRefParameter) and + Ssa::isLiveOutRefParameterDefinition(def, outRefParameter) and outRef = outRefParameter.getPosition() ) } diff --git a/csharp/ql/test/library-tests/dataflow/ssa/IsLiveOutRefParameterDefinition.ql b/csharp/ql/test/library-tests/dataflow/ssa/IsLiveOutRefParameterDefinition.ql index ca43b497dd53..130d91fb6fea 100644 --- a/csharp/ql/test/library-tests/dataflow/ssa/IsLiveOutRefParameterDefinition.ql +++ b/csharp/ql/test/library-tests/dataflow/ssa/IsLiveOutRefParameterDefinition.ql @@ -1,7 +1,7 @@ import csharp -from Ssa::SourceVariable v, Ssa::Definition def +from Ssa::SourceVariable v, SsaDefinition def where v = def.getSourceVariable() and - def.isLiveOutRefParameterDefinition(_) + Ssa::isLiveOutRefParameterDefinition(def, _) select v, def From a6c7f27fc12b015dd8cc2baec4d857b2ae2620ad Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Fri, 24 Apr 2026 08:51:25 +0200 Subject: [PATCH 10/22] C#: Deprecate Definition.getEnclosingCallable. --- csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll index 53866c77004d..dd07dcb9f28f 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll @@ -404,8 +404,12 @@ module Ssa { result.(ControlFlowElement).getControlFlowNode() = this.getControlFlowNode() } - /** Gets the callable to which this SSA definition belongs. */ - final Callable getEnclosingCallable() { + /** + * DEPRECATED: Use `getSourceVariable().getEnclosingCallable()` instead. + * + * Gets the callable to which this SSA definition belongs. + */ + deprecated final Callable getEnclosingCallable() { result = this.getSourceVariable().getEnclosingCallable() } From dc34b10cb6cc20b39dcb1522d2ecf81b0f91540c Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Fri, 24 Apr 2026 16:04:36 +0200 Subject: [PATCH 11/22] C#: Replace Ssa::ExplicitDefinition with SsaExplicitWrite. --- .../ql/consistency-queries/SsaConsistency.ql | 4 +-- .../ql/lib/semmle/code/csharp/Assignable.qll | 4 +-- .../semmle/code/csharp/controlflow/Guards.qll | 10 ++---- .../semmle/code/csharp/dataflow/Nullness.qll | 16 ++++------ .../lib/semmle/code/csharp/dataflow/SSA.qll | 10 ++++-- .../dataflow/internal/DataFlowPrivate.qll | 11 +++---- .../code/csharp/dataflow/internal/SsaImpl.qll | 8 +++-- .../internal/rangeanalysis/RangeUtils.qll | 2 +- .../rangeanalysis/SignAnalysisSpecific.qll | 32 ++++++------------- .../internal/rangeanalysis/SsaUtils.qll | 14 ++++---- csharp/ql/src/Dead Code/DeadStoreOfLocal.ql | 2 +- .../src/Likely Bugs/Dynamic/BadDynamicCall.ql | 7 ++-- .../ql/test/library-tests/csharp7/DefUse.ql | 7 +--- .../dataflow/callablereturnsarg/Common.qll | 4 +-- .../dataflow/defuse/defUseEquivalence.ql | 6 +++- .../dataflow/ssa-large/countssa.ql | 4 +-- .../dataflow/ssa/BaseSsaConsistency.ql | 8 ++--- .../dataflow/ssa/SsaExplicitDef.ql | 4 +-- 18 files changed, 67 insertions(+), 86 deletions(-) diff --git a/csharp/ql/consistency-queries/SsaConsistency.ql b/csharp/ql/consistency-queries/SsaConsistency.ql index e9c9191b63a1..003e7ddd5e94 100644 --- a/csharp/ql/consistency-queries/SsaConsistency.ql +++ b/csharp/ql/consistency-queries/SsaConsistency.ql @@ -7,8 +7,8 @@ query predicate localDeclWithSsaDef(LocalVariableDeclExpr d) { // Local variables in C# must be initialized before every use, so uninitialized // local variables should not have an SSA definition, as that would imply that // the declaration is live (can reach a use without passing through a definition) - exists(ExplicitDefinition def | - d = def.getADefinition().(AssignableDefinitions::LocalVariableDefinition).getDeclaration() + exists(SsaExplicitWrite def | + d = def.getDefinition().(AssignableDefinitions::LocalVariableDefinition).getDeclaration() | not d = any(ForeachStmt fs).getVariableDeclExpr() and not d = any(SpecificCatchClause scc).getVariableDeclExpr() and diff --git a/csharp/ql/lib/semmle/code/csharp/Assignable.qll b/csharp/ql/lib/semmle/code/csharp/Assignable.qll index 066cdeaed15a..7bd432d48ce4 100644 --- a/csharp/ql/lib/semmle/code/csharp/Assignable.qll +++ b/csharp/ql/lib/semmle/code/csharp/Assignable.qll @@ -500,9 +500,7 @@ class AssignableDefinition extends TAssignableDefinition { */ pragma[nomagic] AssignableRead getAFirstRead() { - exists(Ssa::ExplicitDefinition def | result = Ssa::ssaGetAFirstUse(def) | - this = def.getADefinition() - ) + exists(SsaExplicitWrite def | result = Ssa::ssaGetAFirstUse(def) | this = def.getDefinition()) } /** Gets a textual representation of this assignable definition. */ diff --git a/csharp/ql/lib/semmle/code/csharp/controlflow/Guards.qll b/csharp/ql/lib/semmle/code/csharp/controlflow/Guards.qll index 48adada60d85..168ce6a1e5c8 100644 --- a/csharp/ql/lib/semmle/code/csharp/controlflow/Guards.qll +++ b/csharp/ql/lib/semmle/code/csharp/controlflow/Guards.qll @@ -588,7 +588,7 @@ private SsaDefinition getAnSsaQualifier(Expr e, ControlFlowNode cfn) { private AssignableAccess getATrackedAccess(SsaDefinition def, ControlFlowNode cfn) { result = def.getARead() and cfn = result.getControlFlowNode() or - result = def.(Ssa::ExplicitDefinition).getADefinition().getTargetAccess() and + result = def.(SsaExplicitWrite).getDefinition().getTargetAccess() and cfn = def.getControlFlowNode() } @@ -830,9 +830,7 @@ module Internal { ).getARead() } - private predicate nullDef(Ssa::ExplicitDefinition def) { - nullValueImplied(def.getADefinition().getSource()) - } + private predicate nullDef(SsaExplicitWrite def) { nullValueImplied(def.getValue()) } predicate nonNullValueImplied(Expr e) { nonNullValue(e) @@ -845,9 +843,7 @@ module Internal { ).getARead() } - private predicate nonNullDef(Ssa::ExplicitDefinition def) { - nonNullValueImplied(def.getADefinition().getSource()) - } + private predicate nonNullDef(SsaExplicitWrite def) { nonNullValueImplied(def.getValue()) } /** A callable that always returns a non-`null` value. */ private class NonNullCallable extends Callable { diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/Nullness.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/Nullness.qll index 95dfcf3f0ec3..662cd5a5d189 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/Nullness.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/Nullness.qll @@ -80,9 +80,7 @@ class AlwaysNullExpr extends Expr { } /** Holds if SSA definition `def` is always `null`. */ -private predicate nullDef(Ssa::ExplicitDefinition def) { - def.getADefinition().getSource() instanceof AlwaysNullExpr -} +private predicate nullDef(SsaExplicitWrite def) { def.getValue() instanceof AlwaysNullExpr } /** An expression that is never `null`. */ class NonNullExpr extends Expr { @@ -108,10 +106,10 @@ class NonNullExpr extends Expr { } /** Holds if SSA definition `def` is never `null`. */ -private predicate nonNullDef(Ssa::ExplicitDefinition def) { - def.getADefinition().getSource() instanceof NonNullExpr +private predicate nonNullDef(SsaExplicitWrite def) { + def.getValue() instanceof NonNullExpr or - exists(AssignableDefinition ad | ad = def.getADefinition() | + exists(AssignableDefinition ad | ad = def.getDefinition() | ad instanceof AssignableDefinitions::PatternDefinition or ad = @@ -191,7 +189,7 @@ private predicate defMaybeNull(SsaDefinition def, ControlFlowNode node, string m not de = any(Ssa::PhiNode phi).getARead() and // Don't use a check as reason if there is a `null` assignment // or argument - not def.(Ssa::ExplicitDefinition).getADefinition().getSource() instanceof MaybeNullExpr and + not def.(SsaExplicitWrite).getValue() instanceof MaybeNullExpr and not isMaybeNullArgument(def, _) ) or @@ -205,7 +203,7 @@ private predicate defMaybeNull(SsaDefinition def, ControlFlowNode node, string m ) or // If the source of a variable is `null` then the variable may be `null` - exists(AssignableDefinition adef | adef = def.(Ssa::ExplicitDefinition).getADefinition() | + exists(AssignableDefinition adef | adef = def.(SsaExplicitWrite).getDefinition() | adef.getSource() = maybeNullExpr(node.asExpr()) and reason = adef.getExpr() and msg = "because of $@ assignment" @@ -336,7 +334,7 @@ class Dereference extends G::DereferenceableExpr { private predicate isAlwaysNull0(SsaDefinition def) { forall(SsaDefinition input | input = getAnUltimateDefinition(def) | - input.(Ssa::ExplicitDefinition).getADefinition().getSource() instanceof AlwaysNullExpr + input.(SsaExplicitWrite).getValue() instanceof AlwaysNullExpr ) and not nonNullDef(def) and this = def.getARead() and diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll index dd07dcb9f28f..ed75874b8420 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll @@ -428,19 +428,25 @@ module Ssa { } /** + * DEPRECATED: Use `SsaExplicitWrite` instead. + * * An SSA definition that corresponds to an explicit assignable definition. */ - class ExplicitDefinition extends Definition, SsaImpl::WriteDefinition { + deprecated class ExplicitDefinition extends Definition, SsaImpl::WriteDefinition { AssignableDefinition ad; ExplicitDefinition() { SsaImpl::explicitDefinition(this, _, ad) } /** + * DEPRECATED: Use `SsaExplicitWrite.getDefinition()` instead. + * * Gets an underlying assignable definition. The result is always unique, * except for pathological `out`/`ref` assignments like `M(out x, out x)`, * where there may be more than one underlying definition. */ - final AssignableDefinition getADefinition() { result = SsaImpl::getADefinition(this) } + deprecated final AssignableDefinition getADefinition() { + result = SsaImpl::getADefinition(this) + } /** * DEPRECATED. diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll index 0f553b6e0361..b55b0cbd9349 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll @@ -272,7 +272,7 @@ module VariableCapture { or exists(SsaDefinition def, AssignableDefinition adef | LocalFlow::defAssigns(adef, _, _, e1) and - def.getAnUltimateDefinition().(Ssa::ExplicitDefinition).getADefinition() = adef and + def.getAnUltimateDefinition().(SsaExplicitWrite).getDefinition() = adef and def.getARead().getControlFlowNode() = e2 ) } @@ -600,8 +600,8 @@ module LocalFlow { or ThisFlow::adjacentThisRefs(nodeFrom.(PostUpdateNode).getPreUpdateNode(), nodeTo) or - exists(AssignableDefinition def, ControlFlowNode cfn, Ssa::ExplicitDefinition ssaDef | - ssaDef.getADefinition() = def and + exists(AssignableDefinition def, ControlFlowNode cfn, SsaExplicitWrite ssaDef | + ssaDef.getDefinition() = def and ssaDef.getControlFlowNode() = cfn and nodeFrom = TAssignableDefinitionNode(def, cfn) and nodeTo.(SsaDefinitionNode).getDefinition() = ssaDef @@ -2220,12 +2220,11 @@ private predicate readContentStep(Node node1, Content c, Node node2) { c instanceof ElementContent or exists( - ForeachStmt fs, Ssa::ExplicitDefinition def, - AssignableDefinitions::LocalVariableDefinition defTo + ForeachStmt fs, SsaExplicitWrite def, AssignableDefinitions::LocalVariableDefinition defTo | node1.asExpr() = fs.getIterableExpr() and defTo.getDeclaration() = fs.getVariableDeclExpr() and - def.getADefinition() = defTo and + def.getDefinition() = defTo and node2.(SsaDefinitionNode).getDefinition() = def and c instanceof ElementContent ) diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll index 6966152475bc..89c7276a1a29 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll @@ -825,7 +825,7 @@ private module Cached { } cached - AssignableDefinition getADefinition(Ssa::ExplicitDefinition def) { + deprecated AssignableDefinition getADefinition(Ssa::ExplicitDefinition def) { exists(Ssa::SourceVariable v, AssignableDefinition ad | explicitDefinition(def, v, ad) | result = ad or result = getASameOutRefDefAfter(v, ad) @@ -858,7 +858,9 @@ private module Cached { } cached - predicate explicitDefinition(WriteDefinition def, Ssa::SourceVariable v, AssignableDefinition ad) { + deprecated predicate explicitDefinition( + WriteDefinition def, Ssa::SourceVariable v, AssignableDefinition ad + ) { exists(BasicBlock bb, int i | def.definesAt(v, bb, i) and variableDefinition(bb, i, v, ad) @@ -1023,7 +1025,7 @@ private module DataFlowIntegrationInput implements Impl::DataFlowIntegrationInpu * as we, conservatively, consider such definitions to be certain. */ predicate allowFlowIntoUncertainDef(UncertainWriteDefinition def) { - def instanceof Ssa::ExplicitDefinition + def instanceof SsaExplicitWrite or def = any(Ssa::ImplicitQualifierDefinition qdef | diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/RangeUtils.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/RangeUtils.qll index fafb85440a27..b85f68883ab6 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/RangeUtils.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/RangeUtils.qll @@ -19,7 +19,7 @@ private module Impl { } /** Holds if SSA definition `def` equals `e + delta`. */ - predicate ssaUpdateStep(ExplicitDefinition def, ExprNode e, int delta) { + predicate ssaUpdateStep(SsaExplicitWrite def, ExprNode e, int delta) { exists(ControlFlowNode cfn | cfn = def.getControlFlowNode() | e = cfn.(ExprNode::Assignment).getRightOperand() and delta = 0 and diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SignAnalysisSpecific.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SignAnalysisSpecific.qll index 55b3ac31aa3e..96d6b2b979a4 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SignAnalysisSpecific.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SignAnalysisSpecific.qll @@ -35,7 +35,7 @@ module Private { class Expr = CS::ControlFlowNodes::ExprNode; - class VariableUpdate = CS::Ssa::ExplicitDefinition; + class VariableUpdate = CS::SsaExplicitWrite; class Field = CS::Field; @@ -122,37 +122,25 @@ private module Impl { } /** Returns the underlying variable update of the explicit SSA variable `v`. */ - Ssa::ExplicitDefinition getExplicitSsaAssignment(Ssa::ExplicitDefinition v) { result = v } + SsaExplicitWrite getExplicitSsaAssignment(SsaExplicitWrite v) { result = v } /** Returns the assignment of the variable update `def`. */ - ExprNode getExprFromSsaAssignment(Ssa::ExplicitDefinition def) { - exists(AssignableDefinition adef | - adef = def.getADefinition() and - hasChild(adef.getExpr(), adef.getSource(), def.getControlFlowNode(), result) - ) - or - exists(AssignableDefinitions::AssignOperationDefinition adef | - adef = def.getADefinition() and - result.getExpr() = adef.getSource() - ) - } + ExprNode getExprFromSsaAssignment(SsaExplicitWrite def) { result.getExpr() = def.getValue() } /** Holds if `def` can have any sign. */ - predicate explicitSsaDefWithAnySign(Ssa::ExplicitDefinition def) { - not exists(def.getADefinition().getSource()) and - not def.getElement() instanceof MutatorOperation + predicate explicitSsaDefWithAnySign(SsaExplicitWrite def) { + not exists(def.getValue()) and + not def.getDefiningExpr() instanceof MutatorOperation } /** Returns the operand of the operation if `def` is a decrement. */ - ExprNode getDecrementOperand(Ssa::ExplicitDefinition def) { - hasChild(def.getElement(), def.getElement().(DecrementOperation).getOperand(), - def.getControlFlowNode(), result) + ExprNode getDecrementOperand(SsaExplicitWrite def) { + result.getExpr() = def.getDefiningExpr().(DecrementOperation).getOperand() } /** Returns the operand of the operation if `def` is an increment. */ - ExprNode getIncrementOperand(Ssa::ExplicitDefinition def) { - hasChild(def.getElement(), def.getElement().(IncrementOperation).getOperand(), - def.getControlFlowNode(), result) + ExprNode getIncrementOperand(SsaExplicitWrite def) { + result.getExpr() = def.getDefiningExpr().(IncrementOperation).getOperand() } /** Gets the variable underlying the implicit SSA variable `def`. */ diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaUtils.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaUtils.qll index 5681976a378c..33afe07dae33 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaUtils.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaUtils.qll @@ -17,9 +17,9 @@ class SsaVariable extends SsaDefinition { /** Gets a node that reads `src` via an SSA explicit definition. */ ExprNode getAnExplicitDefinitionRead(ExprNode src) { - exists(ExplicitDefinition def | + exists(SsaExplicitWrite def | def.getARead().getControlFlowNode() = result and - hasChild(def.getElement(), def.getADefinition().getSource(), def.getControlFlowNode(), src) + hasChild(def.getDefiningExpr(), def.getValue(), def.getControlFlowNode(), src) ) } @@ -45,15 +45,15 @@ ExprNode ssaRead(SsaDefinition v, int delta) { delta = d1 + c.getIntValue() ) or - v.(ExplicitDefinition).getControlFlowNode().(ExprNode::PreIncrExpr) = result and delta = 0 + v.(SsaExplicitWrite).getControlFlowNode().(ExprNode::PreIncrExpr) = result and delta = 0 or - v.(ExplicitDefinition).getControlFlowNode().(ExprNode::PreDecrExpr) = result and delta = 0 + v.(SsaExplicitWrite).getControlFlowNode().(ExprNode::PreDecrExpr) = result and delta = 0 or - v.(ExplicitDefinition).getControlFlowNode().(ExprNode::PostIncrExpr) = result and delta = 1 // x++ === ++x - 1 + v.(SsaExplicitWrite).getControlFlowNode().(ExprNode::PostIncrExpr) = result and delta = 1 // x++ === ++x - 1 or - v.(ExplicitDefinition).getControlFlowNode().(ExprNode::PostDecrExpr) = result and delta = -1 // x-- === --x + 1 + v.(SsaExplicitWrite).getControlFlowNode().(ExprNode::PostDecrExpr) = result and delta = -1 // x-- === --x + 1 or - v.(ExplicitDefinition).getControlFlowNode().(ExprNode::Assignment) = result and delta = 0 + v.(SsaExplicitWrite).getControlFlowNode().(ExprNode::Assignment) = result and delta = 0 or result.(ExprNode::AssignExpr).getRightOperand() = ssaRead(v, delta) } diff --git a/csharp/ql/src/Dead Code/DeadStoreOfLocal.ql b/csharp/ql/src/Dead Code/DeadStoreOfLocal.ql index 12baac99c78d..cf57707608b4 100644 --- a/csharp/ql/src/Dead Code/DeadStoreOfLocal.ql +++ b/csharp/ql/src/Dead Code/DeadStoreOfLocal.ql @@ -92,7 +92,7 @@ class RelevantDefinition extends AssignableDefinition { private predicate isMaybeLive() { exists(LocalVariable v | v = this.getTarget() | // SSA definitions are only created for live variables - this = any(Ssa::ExplicitDefinition ssaDef).getADefinition() + this = any(SsaExplicitWrite ssaDef).getDefinition() or mayEscape(v) or diff --git a/csharp/ql/src/Likely Bugs/Dynamic/BadDynamicCall.ql b/csharp/ql/src/Likely Bugs/Dynamic/BadDynamicCall.ql index 4d68f6ee6282..afb44727e34f 100644 --- a/csharp/ql/src/Likely Bugs/Dynamic/BadDynamicCall.ql +++ b/csharp/ql/src/Likely Bugs/Dynamic/BadDynamicCall.ql @@ -36,17 +36,16 @@ abstract class BadDynamicCall extends DynamicExpr { } private Type possibleTypeForRelevantSource(Variable v, int i, Expr source) { - exists(AssignableRead read, SsaDefinition ssaDef, Ssa::ExplicitDefinition ultimateSsaDef | + exists(AssignableRead read, SsaDefinition ssaDef, SsaExplicitWrite ultimateSsaDef | read = this.getARelevantVariableAccess(i) and v = read.getTarget() and result = source.getType() and read = ssaDef.getARead() and ultimateSsaDef = ssaDef.getAnUltimateDefinition() | - ultimateSsaDef.getADefinition() = - any(AssignableDefinition def | source = def.getSource().stripImplicit()) + ultimateSsaDef.getValue().stripImplicit() = source or - ultimateSsaDef.getADefinition() = + ultimateSsaDef.getDefinition() = any(AssignableDefinitions::ImplicitParameterDefinition p | source = p.getParameter().getAnAssignedValue().stripImplicit() ) diff --git a/csharp/ql/test/library-tests/csharp7/DefUse.ql b/csharp/ql/test/library-tests/csharp7/DefUse.ql index e696307be28c..ccdd4db01573 100644 --- a/csharp/ql/test/library-tests/csharp7/DefUse.ql +++ b/csharp/ql/test/library-tests/csharp7/DefUse.ql @@ -3,11 +3,6 @@ import csharp from AssignableDefinition def, AssignableRead read, SsaDefinition ult, SsaDefinition ssaDef where ssaDef.getAnUltimateDefinition() = ult and - ( - ult.(Ssa::ExplicitDefinition).getADefinition() = def - or - ult.(Ssa::ParameterDefinition).getParameter() = - def.(AssignableDefinitions::ImplicitParameterDefinition).getParameter() - ) and + ult.(SsaExplicitWrite).getDefinition() = def and read = ssaDef.getARead() select def, read diff --git a/csharp/ql/test/library-tests/dataflow/callablereturnsarg/Common.qll b/csharp/ql/test/library-tests/dataflow/callablereturnsarg/Common.qll index 95a93e24a2ae..2af01c723333 100644 --- a/csharp/ql/test/library-tests/dataflow/callablereturnsarg/Common.qll +++ b/csharp/ql/test/library-tests/dataflow/callablereturnsarg/Common.qll @@ -2,9 +2,9 @@ import csharp private import semmle.code.csharp.controlflow.Guards private predicate outRefDef(DataFlow::ExprNode ne, int outRef) { - exists(Ssa::ExplicitDefinition def, Parameter outRefParameter | + exists(SsaExplicitWrite def, Parameter outRefParameter | outRefParameter.isOutOrRef() and - ne.getExpr() = def.getADefinition().getSource() and + ne.getExpr() = def.getValue() and Ssa::isLiveOutRefParameterDefinition(def, outRefParameter) and outRef = outRefParameter.getPosition() ) diff --git a/csharp/ql/test/library-tests/dataflow/defuse/defUseEquivalence.ql b/csharp/ql/test/library-tests/dataflow/defuse/defUseEquivalence.ql index 800ae9717598..1897c97bd652 100644 --- a/csharp/ql/test/library-tests/dataflow/defuse/defUseEquivalence.ql +++ b/csharp/ql/test/library-tests/dataflow/defuse/defUseEquivalence.ql @@ -12,6 +12,10 @@ predicate defReaches( def.(AssignableDefinitions::ImplicitParameterDefinition).getParameter().getControlFlowNode() ].getASuccessor() or + def.getTarget() = v and + cfn = + def.(AssignableDefinitions::ImplicitParameterDefinition).getEnclosingCallable().getEntryPoint() + or exists(ControlFlowNode mid | defReaches(def, v, mid) | not mid = any(AssignableDefinition ad | ad.getTarget() = v and ad.isCertain()) @@ -30,7 +34,7 @@ predicate defUsePair(AssignableDefinition def, AssignableRead read) { private LocalScopeVariableRead getAReachableUncertainRead(AssignableDefinition def) { exists(SsaDefinition ssaDef | - def = ssaDef.getAnUltimateDefinition().(Ssa::ExplicitDefinition).getADefinition() + def = ssaDef.getAnUltimateDefinition().(SsaExplicitWrite).getDefinition() | result = ssaDef.getARead() ) diff --git a/csharp/ql/test/library-tests/dataflow/ssa-large/countssa.ql b/csharp/ql/test/library-tests/dataflow/ssa-large/countssa.ql index 94218ca6c7e5..e9d2f74ff27b 100644 --- a/csharp/ql/test/library-tests/dataflow/ssa-large/countssa.ql +++ b/csharp/ql/test/library-tests/dataflow/ssa-large/countssa.ql @@ -2,6 +2,6 @@ import csharp from int uses, int live where - uses = strictcount(Ssa::ExplicitDefinition ssa, AssignableRead read | read = ssa.getARead()) and - live = strictcount(Ssa::ExplicitDefinition ssa, BasicBlock bb | ssa.isLiveAtEndOfBlock(bb)) + uses = strictcount(SsaExplicitWrite ssa, AssignableRead read | read = ssa.getARead()) and + live = strictcount(SsaExplicitWrite ssa, BasicBlock bb | ssa.isLiveAtEndOfBlock(bb)) select uses, live diff --git a/csharp/ql/test/library-tests/dataflow/ssa/BaseSsaConsistency.ql b/csharp/ql/test/library-tests/dataflow/ssa/BaseSsaConsistency.ql index d68e39fb3966..2634ef14a37b 100644 --- a/csharp/ql/test/library-tests/dataflow/ssa/BaseSsaConsistency.ql +++ b/csharp/ql/test/library-tests/dataflow/ssa/BaseSsaConsistency.ql @@ -8,12 +8,8 @@ where ar = ssaDef.getARead() and def = ssaDef.getDefinition() and v = def.getTarget() and - not exists(Ssa::ExplicitDefinition edef | - edef.getADefinition() = def and - edef.getARead() = ar - ) and - not exists(Ssa::ParameterDefinition edef | - edef.getParameter() = def.(AssignableDefinitions::ImplicitParameterDefinition).getParameter() and + not exists(SsaExplicitWrite edef | + edef.getDefinition() = def and edef.getARead() = ar ) select ar, def diff --git a/csharp/ql/test/library-tests/dataflow/ssa/SsaExplicitDef.ql b/csharp/ql/test/library-tests/dataflow/ssa/SsaExplicitDef.ql index bf4c70ee6735..4e37c24b0cc5 100644 --- a/csharp/ql/test/library-tests/dataflow/ssa/SsaExplicitDef.ql +++ b/csharp/ql/test/library-tests/dataflow/ssa/SsaExplicitDef.ql @@ -1,5 +1,5 @@ import csharp -from Ssa::SourceVariable v, Ssa::ExplicitDefinition def +from Ssa::SourceVariable v, SsaExplicitWrite def where v = def.getSourceVariable() -select v, def, def.getADefinition() +select v, def, def.getDefinition() From 31e06bc0a928783833e82c07bd8a835e4b69c621 Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Mon, 27 Apr 2026 14:56:52 +0200 Subject: [PATCH 12/22] C#: Remove SSA location overrides. --- .../lib/semmle/code/csharp/dataflow/SSA.qll | 21 ------------------- 1 file changed, 21 deletions(-) diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll index ed75874b8420..39cbf602650b 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll @@ -422,9 +422,6 @@ module Ssa { deprecated final predicate isLiveOutRefParameterDefinition(Parameter p) { SsaImpl::isLiveOutRefParameterDefinition(this, p) } - - /** Gets the location of this SSA definition. */ - override Location getLocation() { none() } } /** @@ -509,8 +506,6 @@ module Ssa { override Element getElement() { result = ad.getElement() } override string toString() { result = "SSA def(" + this.getSourceVariable() + ")" } - - override Location getLocation() { result = ad.getLocation() } } /** @@ -556,8 +551,6 @@ module Ssa { then result = "SSA capture def(" + this.getSourceVariable() + ")" else result = "SSA entry def(" + this.getSourceVariable() + ")" } - - override Location getLocation() { result = this.getCallable().getLocation() } } deprecated class ImplicitParameterDefinition = ParameterDefinition; @@ -625,8 +618,6 @@ module Ssa { } override string toString() { result = "SSA call def(" + this.getSourceVariable() + ")" } - - override Location getLocation() { result = this.getCall().getLocation() } } /** @@ -649,8 +640,6 @@ module Ssa { final Definition getQualifierDefinition() { result = q } override string toString() { result = "SSA qualifier def(" + this.getSourceVariable() + ")" } - - override Location getLocation() { result = this.getQualifierDefinition().getLocation() } } /** @@ -689,16 +678,6 @@ module Ssa { } override string toString() { result = "SSA phi(" + this.getSourceVariable() + ")" } - - /* - * The location of a phi node is the same as the location of the first node - * in the basic block in which it is defined. - * - * Strictly speaking, the node is *before* the first node, but such a location - * does not exist in the source program. - */ - - override Location getLocation() { result = this.getBasicBlock().getFirstNode().getLocation() } } /** From 6ecdf3fe3298c16cd232a4852185e83205a79c40 Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Mon, 27 Apr 2026 14:59:22 +0200 Subject: [PATCH 13/22] C#: Replace Ssa::ImplicitParameterDefinition with SsaParameterInit. --- .../lib/semmle/code/csharp/dataflow/Nullness.qll | 6 ++---- csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll | 3 +++ .../csharp/dataflow/internal/DataFlowPrivate.qll | 14 +++----------- .../code/csharp/dataflow/internal/SsaImpl.qll | 2 +- .../dataflow/defuse/parameterUseEquivalence.ql | 2 +- .../dataflow/ssa/SsaImplicitParameterDef.ql | 2 +- 6 files changed, 11 insertions(+), 18 deletions(-) diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/Nullness.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/Nullness.qll index 662cd5a5d189..3fc4f05a2788 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/Nullness.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/Nullness.qll @@ -126,7 +126,7 @@ private predicate nonNullDef(SsaExplicitWrite def) { */ private predicate dereferenceAt(SsaDefinition def, Dereference d) { d = def.getARead() } -private predicate isMaybeNullArgument(Ssa::ParameterDefinition def, MaybeNullExpr arg) { +private predicate isMaybeNullArgument(SsaParameterInit def, MaybeNullExpr arg) { exists(AssignableDefinitions::ImplicitParameterDefinition pdef, Parameter p | p = def.getParameter() | @@ -320,9 +320,7 @@ class Dereference extends G::DereferenceableExpr { not p.getAnnotatedType().isNullableRefType() or p.fromSource() and - exists( - Ssa::ParameterDefinition def, AssignableDefinitions::ImplicitParameterDefinition pdef - | + exists(SsaParameterInit def, AssignableDefinitions::ImplicitParameterDefinition pdef | p = def.getParameter() | p.getUnboundDeclaration() = pdef.getParameter() and diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll index 39cbf602650b..384e327ff7eb 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll @@ -553,6 +553,9 @@ module Ssa { } } + /** + * DEPRECATED: Use `SsaParameterInit` instead. + */ deprecated class ImplicitParameterDefinition = ParameterDefinition; final class ParameterDefinition = SsaImpl::ParameterDefinitionImpl; diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll index b55b0cbd9349..f581628a79c0 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll @@ -1302,12 +1302,6 @@ private module NearestLocationInputParamAfterCallable implements NearestLocation } private module ParameterNodes { - pragma[nomagic] - private predicate ssaParamDef(Ssa::ParameterDefinition ssaDef, Parameter p, Location l) { - p = ssaDef.getParameter() and - l = ssaDef.getLocation() - } - private module NearestLocationInputParamBeforeCallable implements NearestLocationInputSig { class C = Parameter; @@ -1358,11 +1352,9 @@ private module ParameterNodes { } /** Gets the SSA definition corresponding to this parameter, if any. */ - Ssa::ParameterDefinition getSsaDefinition() { - exists(Parameter p, Location l | - l = this.getParameterLocation(p) and - ssaParamDef(result, p, l) - ) + SsaParameterInit getSsaDefinition() { + result.getParameter() = parameter and + result.getBasicBlock() = callable.getABasicBlock() } override predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) { diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll index 89c7276a1a29..715fe4867590 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll @@ -1017,7 +1017,7 @@ private module DataFlowIntegrationInput implements Impl::DataFlowIntegrationInpu predicate ssaDefHasSource(WriteDefinition def) { // exclude flow directly from RHS to SSA definition, as we instead want to // go from RHS to matching assignable definition, and from there to SSA definition - def instanceof Ssa::ParameterDefinition + def instanceof SsaParameterInit } /** diff --git a/csharp/ql/test/library-tests/dataflow/defuse/parameterUseEquivalence.ql b/csharp/ql/test/library-tests/dataflow/defuse/parameterUseEquivalence.ql index 10b916ab3f41..fdb1a6e89950 100644 --- a/csharp/ql/test/library-tests/dataflow/defuse/parameterUseEquivalence.ql +++ b/csharp/ql/test/library-tests/dataflow/defuse/parameterUseEquivalence.ql @@ -24,7 +24,7 @@ private LocalScopeVariableRead getAReachableUncertainRead( AssignableDefinitions::ImplicitParameterDefinition p ) { exists(SsaDefinition ssaDef | - p.getParameter() = ssaDef.getAnUltimateDefinition().(Ssa::ParameterDefinition).getParameter() + p.getParameter() = ssaDef.getAnUltimateDefinition().(SsaParameterInit).getParameter() | result = ssaDef.getARead() ) diff --git a/csharp/ql/test/library-tests/dataflow/ssa/SsaImplicitParameterDef.ql b/csharp/ql/test/library-tests/dataflow/ssa/SsaImplicitParameterDef.ql index 253fdea1ffa5..b1c28f020d14 100644 --- a/csharp/ql/test/library-tests/dataflow/ssa/SsaImplicitParameterDef.ql +++ b/csharp/ql/test/library-tests/dataflow/ssa/SsaImplicitParameterDef.ql @@ -1,5 +1,5 @@ import csharp -from Ssa::SourceVariable v, Ssa::ParameterDefinition def +from Ssa::SourceVariable v, SsaParameterInit def where v = def.getSourceVariable() select v, def, def.getParameter() From 9a7eb8dfb9f46914a6e714b144846c1b261f94bf Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Mon, 27 Apr 2026 15:05:12 +0200 Subject: [PATCH 14/22] C#: Replace Ssa::PhiNode with SsaPhiDefinition. --- csharp/ql/lib/semmle/code/csharp/dataflow/Nullness.qll | 8 ++++---- csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll | 8 +++++--- .../lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll | 2 +- .../internal/rangeanalysis/ModulusAnalysisSpecific.qll | 2 +- .../internal/rangeanalysis/SignAnalysisSpecific.qll | 2 +- .../internal/rangeanalysis/SsaReadPositionSpecific.qll | 2 +- .../library-tests/dataflow/defuse/useUseEquivalence.ql | 4 ++-- csharp/ql/test/library-tests/dataflow/ssa/SSAPhi.ql | 2 +- 8 files changed, 16 insertions(+), 14 deletions(-) diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/Nullness.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/Nullness.qll index 3fc4f05a2788..1cd9c71acfc9 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/Nullness.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/Nullness.qll @@ -186,7 +186,7 @@ private predicate defMaybeNull(SsaDefinition def, ControlFlowNode node, string m de.guardSuggestsMaybeNull(reason) and msg = "as suggested by $@ null check" and node = def.getControlFlowNode() and - not de = any(Ssa::PhiNode phi).getARead() and + not de = any(SsaPhiDefinition phi).getARead() and // Don't use a check as reason if there is a `null` assignment // or argument not def.(SsaExplicitWrite).getValue() instanceof MaybeNullExpr and @@ -213,7 +213,7 @@ private predicate defMaybeNull(SsaDefinition def, ControlFlowNode node, string m exists(Dereference d | dereferenceAt(def, d) | node = def.getControlFlowNode() and d.hasNullableType() and - not def instanceof Ssa::PhiNode and + not def instanceof SsaPhiDefinition and reason = def.getSourceVariable().getAssignable() and msg = "because it has a nullable type" ) @@ -221,14 +221,14 @@ private predicate defMaybeNull(SsaDefinition def, ControlFlowNode node, string m } private SsaDefinition getAPseudoInput(SsaDefinition def) { - result = def.(Ssa::PhiNode).getAnInput() + result = def.(SsaPhiDefinition).getAnInput() } // `def.getAnUltimateDefinition()` includes inputs into uncertain // definitions, but we only want inputs into pseudo nodes private SsaDefinition getAnUltimateDefinition(SsaDefinition def) { result = getAPseudoInput*(def) and - not result instanceof Ssa::PhiNode + not result instanceof SsaPhiDefinition } /** diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll index 384e327ff7eb..812115050457 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll @@ -357,7 +357,7 @@ module Ssa { * includes inputs to phi nodes and the prior definitions of uncertain writes. */ private Definition getAPhiInputOrPriorDefinition() { - result = this.(PhiNode).getAnInput() or + result = this.(SsaPhiDefinition).getAnInput() or result = this.(UncertainDefinition).getPriorDefinition() } @@ -392,7 +392,7 @@ module Ssa { */ final Definition getAnUltimateDefinition() { result = this.getAPhiInputOrPriorDefinition*() and - not result instanceof PhiNode + not result instanceof SsaPhiDefinition } /** @@ -646,11 +646,13 @@ module Ssa { } /** + * DEPRECATED: Use `SsaPhiDefinition` instead. + * * An SSA phi node, that is, a pseudo definition for a variable at a point * in the flow graph where otherwise two or more definitions for the variable * would be visible. */ - class PhiNode extends Definition, SsaImpl::PhiNode { + deprecated class PhiNode extends Definition, SsaImpl::PhiNode { /** * Gets an input of this phi node. Example: * diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll index 715fe4867590..74bc5651aeea 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll @@ -873,7 +873,7 @@ private module Cached { } cached - Definition phiHasInputFromBlock(Ssa::PhiNode phi, BasicBlock bb) { + deprecated Definition phiHasInputFromBlock(Ssa::PhiNode phi, BasicBlock bb) { Impl::phiHasInputFromBlock(phi, result, bb) } diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/ModulusAnalysisSpecific.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/ModulusAnalysisSpecific.qll index fbc09e7ec52d..34b5ec9a5e85 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/ModulusAnalysisSpecific.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/ModulusAnalysisSpecific.qll @@ -9,7 +9,7 @@ module Private { class SsaVariable = SU::SsaVariable; - class SsaPhiNode = CS::Ssa::PhiNode; + class SsaPhiNode = CS::SsaPhiDefinition; class Expr = CS::ControlFlowNodes::ExprNode; diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SignAnalysisSpecific.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SignAnalysisSpecific.qll index 96d6b2b979a4..77e30d239fd3 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SignAnalysisSpecific.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SignAnalysisSpecific.qll @@ -15,7 +15,7 @@ module Private { class SsaVariable = CS::SsaDefinition; - class SsaPhiNode = CS::Ssa::PhiNode; + class SsaPhiNode = CS::SsaPhiDefinition; class VarAccess = RU::ExprNode::AssignableAccess; diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaReadPositionSpecific.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaReadPositionSpecific.qll index 18c843c0472c..77833591c3eb 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaReadPositionSpecific.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaReadPositionSpecific.qll @@ -7,7 +7,7 @@ private import SsaReadPositionCommon class SsaVariable = CS::SsaDefinition; -class SsaPhiNode = CS::Ssa::PhiNode; +class SsaPhiNode = CS::SsaPhiDefinition; class BasicBlock = CS::BasicBlock; diff --git a/csharp/ql/test/library-tests/dataflow/defuse/useUseEquivalence.ql b/csharp/ql/test/library-tests/dataflow/defuse/useUseEquivalence.ql index 986707c018dd..c92dd13ab1ee 100644 --- a/csharp/ql/test/library-tests/dataflow/defuse/useUseEquivalence.ql +++ b/csharp/ql/test/library-tests/dataflow/defuse/useUseEquivalence.ql @@ -32,7 +32,7 @@ private TLocalScopeVariableReadOrSsaDef getANextReadOrDef(TLocalScopeVariableRea result = TLocalScopeVariableRead(read.getANextRead()) or not exists(read.getANextRead()) and - exists(SsaDefinition ssaDef, Ssa::PhiNode phi, BasicBlock bb | + exists(SsaDefinition ssaDef, SsaPhiDefinition phi, BasicBlock bb | ssaDef.getARead() = read and phi.getAnInput() = ssaDef and phi.definesAt(_, bb, _) and @@ -45,7 +45,7 @@ private TLocalScopeVariableReadOrSsaDef getANextReadOrDef(TLocalScopeVariableRea result = TLocalScopeVariableRead(Ssa::ssaGetAFirstUse(ssaDef)) or not exists(Ssa::ssaGetAFirstUse(ssaDef)) and - exists(Ssa::PhiNode phi | + exists(SsaPhiDefinition phi | phi.getAnInput() = ssaDef and result = TSsaDefinition(phi) ) diff --git a/csharp/ql/test/library-tests/dataflow/ssa/SSAPhi.ql b/csharp/ql/test/library-tests/dataflow/ssa/SSAPhi.ql index db24031365a4..310bc40fcad4 100644 --- a/csharp/ql/test/library-tests/dataflow/ssa/SSAPhi.ql +++ b/csharp/ql/test/library-tests/dataflow/ssa/SSAPhi.ql @@ -1,6 +1,6 @@ import csharp -from Ssa::SourceVariable v, Ssa::PhiNode phi, SsaDefinition input +from Ssa::SourceVariable v, SsaPhiDefinition phi, SsaDefinition input where phi.getAnInput() = input and v = phi.getSourceVariable() From 65f647a8c0221cb305bff37e712ed1e38f5d4d52 Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Mon, 27 Apr 2026 15:07:51 +0200 Subject: [PATCH 15/22] C#: Replace Ssa::UncertainDefinition with SsaUncertainWrite. --- csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll | 6 ++++-- .../ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll | 2 +- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll index 812115050457..d29ace056b94 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll @@ -358,7 +358,7 @@ module Ssa { */ private Definition getAPhiInputOrPriorDefinition() { result = this.(SsaPhiDefinition).getAnInput() or - result = this.(UncertainDefinition).getPriorDefinition() + result = this.(SsaUncertainWrite).getPriorDefinition() } /** @@ -686,12 +686,14 @@ module Ssa { } /** + * DEPRECATED: Use `SsaUncertainWrite` instead. + * * An SSA definition that represents an uncertain update of the underlying * assignable. Either an explicit update that is uncertain (`ref` assignments * need not be certain), an implicit non-local update via a call, or an * uncertain update of the qualifier. */ - class UncertainDefinition extends Definition, SsaImpl::UncertainWriteDefinition { + deprecated class UncertainDefinition extends Definition, SsaImpl::UncertainWriteDefinition { /** * Gets the immediately preceding definition. Since this update is uncertain, * the value from the preceding definition might still be valid. diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll index 74bc5651aeea..a610fd4bcd41 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll @@ -912,7 +912,7 @@ private module Cached { } cached - Definition uncertainWriteDefinitionInput(UncertainWriteDefinition def) { + deprecated Definition uncertainWriteDefinitionInput(UncertainWriteDefinition def) { Impl::uncertainWriteDefinitionInput(def, result) } From 80d5e27b46885021323addc53026bbedcd913b30 Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Tue, 28 Apr 2026 11:03:03 +0200 Subject: [PATCH 16/22] C#: Deprecate Ssa::ImplicitEntryDefinition. --- csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll | 4 +++- .../semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll | 5 +---- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll index d29ace056b94..edc7e6a6a89b 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll @@ -529,11 +529,13 @@ module Ssa { } /** + * DEPRECATED: Use `SsaParameterInit` or `SsaImplicitEntryDefinition` instead. + * * An SSA definition representing the implicit initialization of a variable * at the beginning of a callable. Either a local scope variable captured by * the callable or a field or property accessed inside the callable. */ - class ImplicitEntryDefinition extends ImplicitDefinition { + deprecated class ImplicitEntryDefinition extends ImplicitDefinition { ImplicitEntryDefinition() { exists(BasicBlock bb, SourceVariable v | this.definesAt(v, bb, -1) and diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll index f581628a79c0..7b1d35c6e5a8 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll @@ -1430,7 +1430,7 @@ private module ParameterNodes { } /** An implicit entry definition for a captured variable. */ - class SsaCapturedEntryDefinition extends Ssa::ImplicitEntryDefinition { + deprecated class SsaCapturedEntryDefinition extends Ssa::ImplicitEntryDefinition { private LocalScopeVariable v; SsaCapturedEntryDefinition() { this.getSourceVariable().getAssignable() = v } @@ -2011,9 +2011,6 @@ private class FieldOrPropertyRead extends FieldOrPropertyAccess, AssignableRead exists(SsaDefinition def, Ssa::ImplicitDefinition idef | def.getARead() = this and idef = def.getAnUltimateDefinition() - | - idef instanceof Ssa::ImplicitEntryDefinition or - idef instanceof Ssa::ImplicitCallDefinition ) } } From de96b5acfd8910ec6e4970f5c3bad0362d01f3c4 Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Tue, 28 Apr 2026 11:15:13 +0200 Subject: [PATCH 17/22] C#: Deprecate Ssa::ImplicitDefinition. --- csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll | 8 +++++--- .../code/csharp/dataflow/internal/DataFlowPrivate.qll | 4 ++-- .../internal/rangeanalysis/SignAnalysisSpecific.qll | 4 ++-- 3 files changed, 9 insertions(+), 7 deletions(-) diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll index edc7e6a6a89b..be265188e5d2 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll @@ -509,13 +509,15 @@ module Ssa { } /** + * DEPRECATED: Use `SsaParameterInit` or `SsaImplicitWrite` instead. + * * An SSA definition that does not correspond to an explicit variable definition. * Either an implicit initialization of a variable at the beginning of a callable * (`ImplicitEntryDefinition`), an implicit definition via a call * (`ImplicitCallDefinition`), or an implicit definition where the qualifier is * updated (`ImplicitQualifierDefinition`). */ - class ImplicitDefinition extends Definition, SsaImpl::WriteDefinition { + deprecated class ImplicitDefinition extends Definition, SsaImpl::WriteDefinition { ImplicitDefinition() { exists(BasicBlock bb, SourceVariable v, int i | this.definesAt(v, bb, i) | SsaImpl::implicitEntryDefinition(bb, v) and @@ -596,7 +598,7 @@ module Ssa { * An SSA definition representing the potential definition of a variable * via a call. */ - class ImplicitCallDefinition extends ImplicitDefinition { + class ImplicitCallDefinition extends SsaImplicitWrite { private Call c; ImplicitCallDefinition() { @@ -629,7 +631,7 @@ module Ssa { * An SSA definition representing the potential definition of a variable * via an SSA definition for the qualifier. */ - class ImplicitQualifierDefinition extends ImplicitDefinition, SsaImpl::WriteDefinition { + class ImplicitQualifierDefinition extends SsaImplicitWrite { private Definition q; ImplicitQualifierDefinition() { diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll index 7b1d35c6e5a8..ccf65ddb37c3 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll @@ -2008,9 +2008,9 @@ private class FieldOrPropertyRead extends FieldOrPropertyAccess, AssignableRead * SSA updates. */ predicate hasNonlocalValue() { - exists(SsaDefinition def, Ssa::ImplicitDefinition idef | + exists(SsaDefinition def | def.getARead() = this and - idef = def.getAnUltimateDefinition() + def.getAnUltimateDefinition() instanceof SsaImplicitWrite ) } } diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SignAnalysisSpecific.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SignAnalysisSpecific.qll index 77e30d239fd3..48ed00858a0d 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SignAnalysisSpecific.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SignAnalysisSpecific.qll @@ -144,12 +144,12 @@ private module Impl { } /** Gets the variable underlying the implicit SSA variable `def`. */ - Declaration getImplicitSsaDeclaration(Ssa::ImplicitDefinition def) { + Declaration getImplicitSsaDeclaration(SsaImplicitWrite def) { result = def.getSourceVariable().getAssignable() } /** Holds if the variable underlying the implicit SSA variable `def` is not a field. */ - predicate nonFieldImplicitSsaDefinition(Ssa::ImplicitDefinition def) { + predicate nonFieldImplicitSsaDefinition(SsaImplicitWrite def) { not getImplicitSsaDeclaration(def) instanceof Field } From 55b83ca22aa04480b0bc901f1bbe9b99a9b47db1 Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Tue, 28 Apr 2026 11:20:54 +0200 Subject: [PATCH 18/22] C#: Deprecate Ssa::Definition in favour of SsaDefinition. --- csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll index be265188e5d2..4a7f774af072 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll @@ -74,7 +74,7 @@ module Ssa { * Gets an SSA definition that has this variable as its underlying * source variable. */ - Definition getAnSsaDefinition() { result.getSourceVariable() = this } + SsaDefinition getAnSsaDefinition() { result.getSourceVariable() = this } } /** Provides different types of `SourceVariable`s. */ @@ -193,11 +193,13 @@ module Ssa { predicate isLiveOutRefParameterDefinition = SsaImpl::isLiveOutRefParameterDefinition/2; /** + * DEPRECATED: Use `SsaDefinition` instead. + * * A static single assignment (SSA) definition. Either an explicit variable * definition (`ExplicitDefinition`), an implicit variable definition * (`ImplicitDefinition`), or a phi node (`PhiNode`). */ - class Definition extends SsaImpl::Definition { + deprecated class Definition extends SsaImpl::Definition { /** Gets the control flow node of this SSA definition. */ final ControlFlowNode getControlFlowNode() { exists(BasicBlock bb, int i | this.definesAt(_, bb, i) | result = bb.getNode(0.maximum(i))) @@ -632,7 +634,7 @@ module Ssa { * via an SSA definition for the qualifier. */ class ImplicitQualifierDefinition extends SsaImplicitWrite { - private Definition q; + private SsaDefinition q; ImplicitQualifierDefinition() { exists(BasicBlock bb, int i, SourceVariables::QualifiedFieldOrPropSourceVariable v | @@ -644,7 +646,7 @@ module Ssa { } /** Gets the SSA definition for the qualifier. */ - final Definition getQualifierDefinition() { result = q } + final SsaDefinition getQualifierDefinition() { result = q } override string toString() { result = "SSA qualifier def(" + this.getSourceVariable() + ")" } } From bedadc9f04f388e6c13ef9c2a3f2584dc42a46cc Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Tue, 28 Apr 2026 13:35:14 +0200 Subject: [PATCH 19/22] C#: Deprecate some SSA internals. --- .../code/csharp/dataflow/internal/SsaImpl.qll | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll index a610fd4bcd41..6db089928e0d 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll @@ -78,11 +78,11 @@ module Ssa_ = Impl::MakeSsa; class Definition = Impl::Definition; -class WriteDefinition = Impl::WriteDefinition; +deprecated class WriteDefinition = Impl::WriteDefinition; -class UncertainWriteDefinition = Impl::UncertainWriteDefinition; +deprecated class UncertainWriteDefinition = Impl::UncertainWriteDefinition; -class PhiNode = Impl::PhiNode; +deprecated class PhiNode = Impl::PhiNode; module Consistency = Impl::Consistency; @@ -868,7 +868,7 @@ private module Cached { } cached - predicate isLiveAtEndOfBlock(Definition def, BasicBlock bb) { + deprecated predicate isLiveAtEndOfBlock(Definition def, BasicBlock bb) { Impl::ssaDefReachesEndOfBlock(bb, def, _) } @@ -878,7 +878,7 @@ private module Cached { } cached - AssignableRead getAReadAtNode(Definition def, ControlFlowNode cfn) { + deprecated AssignableRead getAReadAtNode(Definition def, ControlFlowNode cfn) { exists(Ssa::SourceVariable v, BasicBlock bb, int i | Impl::ssaDefReachesRead(v, def, bb, i) and variableReadActual(bb, i, v) and @@ -1012,9 +1012,9 @@ private module DataFlowIntegrationInput implements Impl::DataFlowIntegrationInpu predicate hasCfgNode(BasicBlock bb, int i) { this = bb.getNode(i) } } - Expr getARead(Definition def) { exists(getAReadAtNode(def, result)) } + Expr getARead(Definition def) { def.(SsaDefinition).getARead().getControlFlowNode() = result } - predicate ssaDefHasSource(WriteDefinition def) { + predicate ssaDefHasSource(Impl::WriteDefinition def) { // exclude flow directly from RHS to SSA definition, as we instead want to // go from RHS to matching assignable definition, and from there to SSA definition def instanceof SsaParameterInit @@ -1024,7 +1024,7 @@ private module DataFlowIntegrationInput implements Impl::DataFlowIntegrationInpu * Allows for flow into uncertain defintions that are not call definitions, * as we, conservatively, consider such definitions to be certain. */ - predicate allowFlowIntoUncertainDef(UncertainWriteDefinition def) { + predicate allowFlowIntoUncertainDef(Impl::UncertainWriteDefinition def) { def instanceof SsaExplicitWrite or def = From e0421dbf536230046c5ac20e502df469d47630f4 Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Tue, 28 Apr 2026 13:38:14 +0200 Subject: [PATCH 20/22] C#: Reinstate toString for SSA data flow nodes. --- csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll | 14 -------------- .../code/csharp/dataflow/internal/SsaImpl.qll | 4 ++++ shared/ssa/codeql/ssa/Ssa.qll | 4 +++- 3 files changed, 7 insertions(+), 15 deletions(-) diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll index 4a7f774af072..c251a30b3515 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll @@ -506,8 +506,6 @@ module Ssa { } override Element getElement() { result = ad.getElement() } - - override string toString() { result = "SSA def(" + this.getSourceVariable() + ")" } } /** @@ -551,12 +549,6 @@ module Ssa { final Callable getCallable() { result = this.getBasicBlock().getEnclosingCallable() } override Element getElement() { result = this.getCallable() } - - override string toString() { - if this.getSourceVariable().getAssignable() instanceof LocalScopeVariable - then result = "SSA capture def(" + this.getSourceVariable() + ")" - else result = "SSA entry def(" + this.getSourceVariable() + ")" - } } /** @@ -590,10 +582,6 @@ module Ssa { /** Gets the parameter that this entry definition represents. */ Parameter getParameter() { result = p } - - override string toString() { - result = "SSA param_default(" + pragma[only_bind_out](this.getParameter()) + ")" - } } /** @@ -687,8 +675,6 @@ module Ssa { predicate hasInputFromBlock(Definition inp, BasicBlock bb) { inp = SsaImpl::phiHasInputFromBlock(this, bb) } - - override string toString() { result = "SSA phi(" + this.getSourceVariable() + ")" } } /** diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll index 6db089928e0d..218b8c977170 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll @@ -78,6 +78,10 @@ module Ssa_ = Impl::MakeSsa; class Definition = Impl::Definition; +private class SsaDefinitionToStringProxy extends Definition { + override string toString() { result = this.(SsaDefinition).toString() } +} + deprecated class WriteDefinition = Impl::WriteDefinition; deprecated class UncertainWriteDefinition = Impl::UncertainWriteDefinition; diff --git a/shared/ssa/codeql/ssa/Ssa.qll b/shared/ssa/codeql/ssa/Ssa.qll index 8d6b960b2833..861f797ed6d0 100644 --- a/shared/ssa/codeql/ssa/Ssa.qll +++ b/shared/ssa/codeql/ssa/Ssa.qll @@ -1054,7 +1054,7 @@ module Make< /** A static single assignment (SSA) definition. */ class SsaDefinition extends FinalDefinition { /** Gets a textual representation of this SSA definition. */ - string toString() { result = super.toString() } + string toString() { result = "SSA def(" + this.getSourceVariable() + ")" } /** * Gets the control flow node of this SSA definition. @@ -1207,6 +1207,8 @@ module Make< * a phi definition for `x` is inserted just before the call `puts x`. */ class SsaPhiDefinition extends SsaDefinition instanceof PhiNode { + override string toString() { result = "SSA phi(" + this.getSourceVariable() + ")" } + /** Holds if `inp` is an input to this phi definition along the edge originating in `bb`. */ predicate hasInputFromBlock(SsaDefinition inp, BasicBlock bb) { phiHasInputFromBlockCached(this, inp, bb) From 77807c83f84c531946a5d219b7a7480e43231c05 Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Tue, 28 Apr 2026 14:46:43 +0200 Subject: [PATCH 21/22] C#: Exclude entry definitions from qualifier definitions. --- csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll | 1 + 1 file changed, 1 insertion(+) diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll index c251a30b3515..23e1ee0afda6 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll @@ -625,6 +625,7 @@ module Ssa { private SsaDefinition q; ImplicitQualifierDefinition() { + not this instanceof SsaImplicitEntryDefinition and exists(BasicBlock bb, int i, SourceVariables::QualifiedFieldOrPropSourceVariable v | this.definesAt(v, bb, i) | From ff8ab191d13d73919cbeafdc7e3561d6970a4a64 Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Tue, 28 Apr 2026 15:06:59 +0200 Subject: [PATCH 22/22] C#: Drop caching for deprecated predicates. --- .../code/csharp/dataflow/internal/SsaImpl.qll | 80 +++++++++---------- 1 file changed, 37 insertions(+), 43 deletions(-) diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll index 218b8c977170..0f08e6d66ddf 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll @@ -828,14 +828,6 @@ private module Cached { ) } - cached - deprecated AssignableDefinition getADefinition(Ssa::ExplicitDefinition def) { - exists(Ssa::SourceVariable v, AssignableDefinition ad | explicitDefinition(def, v, ad) | - result = ad or - result = getASameOutRefDefAfter(v, ad) - ) - } - /** * Holds if `call` may change the value of field or property `fp`. The actual * update occurs in `setter`. @@ -861,36 +853,6 @@ private module Cached { not updatesNamedFieldOrProp(bb, i, _, v, _) } - cached - deprecated predicate explicitDefinition( - WriteDefinition def, Ssa::SourceVariable v, AssignableDefinition ad - ) { - exists(BasicBlock bb, int i | - def.definesAt(v, bb, i) and - variableDefinition(bb, i, v, ad) - ) - } - - cached - deprecated predicate isLiveAtEndOfBlock(Definition def, BasicBlock bb) { - Impl::ssaDefReachesEndOfBlock(bb, def, _) - } - - cached - deprecated Definition phiHasInputFromBlock(Ssa::PhiNode phi, BasicBlock bb) { - Impl::phiHasInputFromBlock(phi, result, bb) - } - - cached - deprecated AssignableRead getAReadAtNode(Definition def, ControlFlowNode cfn) { - exists(Ssa::SourceVariable v, BasicBlock bb, int i | - Impl::ssaDefReachesRead(v, def, bb, i) and - variableReadActual(bb, i, v) and - cfn = bb.getNode(i) and - result.getControlFlowNode() = cfn - ) - } - /** * Holds if the value defined at SSA definition `def` can reach a read at `cfn`, * without passing through any other read. @@ -915,11 +877,6 @@ private module Cached { ) } - cached - deprecated Definition uncertainWriteDefinitionInput(UncertainWriteDefinition def) { - Impl::uncertainWriteDefinitionInput(def, result) - } - /** * Holds if the SSA definition `def` assigns to `out`/`ref` parameter `p`, and the * parameter may remain unchanged throughout the rest of the enclosing callable. @@ -1009,6 +966,43 @@ private module Cached { import Cached +deprecated AssignableDefinition getADefinition(Ssa::ExplicitDefinition def) { + exists(Ssa::SourceVariable v, AssignableDefinition ad | explicitDefinition(def, v, ad) | + result = ad or + result = getASameOutRefDefAfter(v, ad) + ) +} + +deprecated predicate explicitDefinition( + WriteDefinition def, Ssa::SourceVariable v, AssignableDefinition ad +) { + exists(BasicBlock bb, int i | + def.definesAt(v, bb, i) and + variableDefinition(bb, i, v, ad) + ) +} + +deprecated predicate isLiveAtEndOfBlock(Definition def, BasicBlock bb) { + Impl::ssaDefReachesEndOfBlock(bb, def, _) +} + +deprecated Definition phiHasInputFromBlock(Ssa::PhiNode phi, BasicBlock bb) { + Impl::phiHasInputFromBlock(phi, result, bb) +} + +deprecated AssignableRead getAReadAtNode(Definition def, ControlFlowNode cfn) { + exists(Ssa::SourceVariable v, BasicBlock bb, int i | + Impl::ssaDefReachesRead(v, def, bb, i) and + variableReadActual(bb, i, v) and + cfn = bb.getNode(i) and + result.getControlFlowNode() = cfn + ) +} + +deprecated Definition uncertainWriteDefinitionInput(UncertainWriteDefinition def) { + Impl::uncertainWriteDefinitionInput(def, result) +} + private module DataFlowIntegrationInput implements Impl::DataFlowIntegrationInputSig { private import codeql.util.Boolean