Java: Replace SSA class wrappers with shared code.

Author: aschackmull

java/ql/lib/semmle/code/java/controlflow/ControlFlowReachability.qll

@@ -6,11 +6,12 @@ module;
 
 import java
 private import codeql.controlflow.ControlFlowReachability
-private import semmle.code.java.dataflow.SSA as SSA
+private import semmle.code.java.dataflow.SSA
 private import semmle.code.java.controlflow.Guards as Guards
 
 private module ControlFlowInput implements InputSig<Location, ControlFlowNode, BasicBlock> {
   private import java as J
+  import Ssa
 
   AstNode getEnclosingAstNode(ControlFlowNode node) { node.getAstNode() = result }
 
@@ -27,23 +28,6 @@ private module ControlFlowInput implements InputSig<Location, ControlFlowNode, B
 
   class Expr = J::Expr;
 
-  class SourceVariable = SSA::SsaSourceVariable;
-
-  class SsaDefinition = SSA::SsaVariable;
-
-  class SsaExplicitWrite extends SsaDefinition instanceof SSA::SsaExplicitUpdate {
-    Expr getValue() {
-      super.getDefiningExpr().(VariableAssign).getSource() = result or
-      super.getDefiningExpr().(AssignOp) = result
-    }
-  }
-
-  class SsaPhiDefinition = SSA::SsaPhiNode;
-
-  class SsaUncertainWrite extends SsaDefinition instanceof SSA::SsaUncertainImplicitUpdate {
-    SsaDefinition getPriorDefinition() { result = super.getPriorDef() }
-  }
-
   class GuardValue = Guards::GuardValue;
 
   predicate ssaControlsBranchEdge(SsaDefinition def, BasicBlock bb1, BasicBlock bb2, GuardValue v) {

java/ql/lib/semmle/code/java/controlflow/Guards.qll

@@ -416,30 +416,8 @@ private module LogicInput_v1 implements GuardsImpl::LogicInputSig {
 }
 
 private module LogicInput_v2 implements GuardsImpl::LogicInputSig {
-  private import semmle.code.java.dataflow.SSA as SSA
-
-  final private class FinalSsaVariable = SSA::SsaVariable;
-
-  class SsaDefinition extends FinalSsaVariable {
-    GuardsInput::Expr getARead() { result = this.getAUse() }
-  }
-
-  class SsaExplicitWrite extends SsaDefinition instanceof SSA::SsaExplicitUpdate {
-    GuardsInput::Expr getValue() {
-      super.getDefiningExpr().(VariableAssign).getSource() = result or
-      super.getDefiningExpr().(AssignOp) = result
-    }
-  }
-
-  class SsaPhiDefinition extends SsaDefinition instanceof SSA::SsaPhiNode {
-    predicate hasInputFromBlock(SsaDefinition inp, BasicBlock bb) {
-      super.hasInputFromBlock(inp, bb)
-    }
-  }
-
-  class SsaParameterInit extends SsaDefinition instanceof SSA::SsaImplicitInit {
-    Parameter getParameter() { super.isParameterDefinition(result) }
-  }
+  private import semmle.code.java.dataflow.SSA
+  import Ssa
 
   predicate additionalNullCheck = LogicInputCommon::additionalNullCheck/4;
 

java/ql/lib/semmle/code/java/dataflow/DefUse.qll

@@ -34,8 +34,12 @@ predicate useUsePair(VarRead use1, VarRead use2) { adjacentUseUse+(use1, use2) }
  * Other paths may also exist, so the SSA variables in `def` and `use` can be different.
  */
 predicate defUsePair(VariableUpdate def, VarRead use) {
-  exists(SsaVariable v |
-    v.getAUse() = use and v.getAnUltimateDefinition().(SsaExplicitUpdate).getDefiningExpr() = def
+  exists(SsaDefinition v, SsaExplicitWrite write |
+    v.getARead() = use and write.getDefiningExpr() = def
+  |
+    v.getAnUltimateDefinition() = write
+    or
+    v.(SsaCapturedDefinition).getAnUltimateCapturedDefinition() = write
   )
 }
 
@@ -46,7 +50,9 @@ predicate defUsePair(VariableUpdate def, VarRead use) {
  * Other paths may also exist, so the SSA variables can be different.
  */
 predicate parameterDefUsePair(Parameter p, VarRead use) {
-  exists(SsaVariable v |
-    v.getAUse() = use and v.getAnUltimateDefinition().(SsaImplicitInit).isParameterDefinition(p)
+  exists(SsaDefinition v, SsaParameterInit init | v.getARead() = use and init.getParameter() = p |
+    v.getAnUltimateDefinition() = init
+    or
+    v.(SsaCapturedDefinition).getAnUltimateCapturedDefinition() = init
   )
 }

java/ql/lib/semmle/code/java/dataflow/NullGuards.qll

@@ -26,9 +26,9 @@ Expr enumConstEquality(Expr e, boolean polarity, EnumConstant c) {
 }
 
 /** Gets an instanceof expression of `v` with type `type` */
-InstanceOfExpr instanceofExpr(SsaVariable v, RefType type) {
+InstanceOfExpr instanceofExpr(SsaDefinition v, RefType type) {
   result.getCheckedType() = type and
-  result.getExpr() = v.getAUse()
+  result.getExpr() = v.getARead()
 }
 
 /**
@@ -37,8 +37,8 @@ InstanceOfExpr instanceofExpr(SsaVariable v, RefType type) {
  *
  * Note this includes Kotlin's `==` and `!=` operators, which are value-equality tests.
  */
-EqualityTest varEqualityTestExpr(SsaVariable v1, SsaVariable v2, boolean isEqualExpr) {
-  result.hasOperands(v1.getAUse(), v2.getAUse()) and
+EqualityTest varEqualityTestExpr(SsaDefinition v1, SsaDefinition v2, boolean isEqualExpr) {
+  result.hasOperands(v1.getARead(), v2.getARead()) and
   isEqualExpr = result.polarity()
 }
 
@@ -91,37 +91,37 @@ Expr clearlyNotNullExpr(Expr reason) {
     (reason = r1 or reason = r2)
   )
   or
-  exists(SsaVariable v, boolean branch, VarRead rval, Guard guard |
+  exists(SsaDefinition v, boolean branch, VarRead rval, Guard guard |
     guard = directNullGuard(v, branch, false) and
     guard.controls(rval.getBasicBlock(), branch) and
     reason = guard and
-    rval = v.getAUse() and
+    rval = v.getARead() and
     result = rval and
     not result = baseNotNullExpr()
   )
   or
-  exists(SsaVariable v |
+  exists(SsaDefinition v |
     clearlyNotNull(v, reason) and
-    result = v.getAUse() and
+    result = v.getARead() and
     not result = baseNotNullExpr()
   )
 }
 
 /** Holds if `v` is an SSA variable that is provably not `null`. */
-predicate clearlyNotNull(SsaVariable v, Expr reason) {
+predicate clearlyNotNull(SsaDefinition v, Expr reason) {
   exists(Expr src |
-    src = v.(SsaExplicitUpdate).getDefiningExpr().(VariableAssign).getSource() and
+    src = v.(SsaExplicitWrite).getValue() and
     src = clearlyNotNullExpr(reason)
   )
   or
   exists(CatchClause cc, LocalVariableDeclExpr decl |
     decl = cc.getVariable() and
-    decl = v.(SsaExplicitUpdate).getDefiningExpr() and
+    decl = v.(SsaExplicitWrite).getDefiningExpr() and
     reason = decl
   )
   or
-  exists(SsaVariable captured |
-    v.(SsaImplicitInit).captures(captured) and
+  exists(SsaDefinition captured |
+    v.(SsaCapturedDefinition).captures(captured) and
     clearlyNotNull(captured, reason)
   )
   or
@@ -136,7 +136,7 @@ predicate clearlyNotNull(SsaVariable v, Expr reason) {
 Expr clearlyNotNullExpr() { result = clearlyNotNullExpr(_) }
 
 /** Holds if `v` is an SSA variable that is provably not `null`. */
-predicate clearlyNotNull(SsaVariable v) { clearlyNotNull(v, _) }
+predicate clearlyNotNull(SsaDefinition v) { clearlyNotNull(v, _) }
 
 /**
  * Holds if the evaluation of a call to `m` resulting in the value `branch`
@@ -207,7 +207,7 @@ deprecated Expr basicOrCustomNullGuard(Expr e, boolean branch, boolean isnull) {
  * If `result` evaluates to `branch`, then `v` is guaranteed to be null if `isnull`
  * is true, and non-null if `isnull` is false.
  */
-Expr directNullGuard(SsaVariable v, boolean branch, boolean isnull) {
+Expr directNullGuard(SsaDefinition v, boolean branch, boolean isnull) {
   result = basicNullGuard(sameValue(v, _), branch, isnull)
 }
 
@@ -219,7 +219,7 @@ Expr directNullGuard(SsaVariable v, boolean branch, boolean isnull) {
  * If `result` evaluates to `branch`, then `v` is guaranteed to be null if `isnull`
  * is true, and non-null if `isnull` is false.
  */
-deprecated Guard nullGuard(SsaVariable v, boolean branch, boolean isnull) {
+deprecated Guard nullGuard(SsaDefinition v, boolean branch, boolean isnull) {
   result = directNullGuard(v, branch, isnull)
 }
 
@@ -228,7 +228,9 @@ deprecated Guard nullGuard(SsaVariable v, boolean branch, boolean isnull) {
  * from `bb1` to `bb2` implies that `v` is guaranteed to be null if `isnull` is
  * true, and non-null if `isnull` is false.
  */
-predicate nullGuardControlsBranchEdge(SsaVariable v, boolean isnull, BasicBlock bb1, BasicBlock bb2) {
+predicate nullGuardControlsBranchEdge(
+  SsaDefinition v, boolean isnull, BasicBlock bb1, BasicBlock bb2
+) {
   exists(GuardValue gv |
     Guards_v3::ssaControlsBranchEdge(v, bb1, bb2, gv) and
     gv.isNullness(isnull)
@@ -240,7 +242,7 @@ predicate nullGuardControlsBranchEdge(SsaVariable v, boolean isnull, BasicBlock
  * `bb` `v` is guaranteed to be null if `isnull` is true, and non-null if
  * `isnull` is false.
  */
-predicate nullGuardControls(SsaVariable v, boolean isnull, BasicBlock bb) {
+predicate nullGuardControls(SsaDefinition v, boolean isnull, BasicBlock bb) {
   exists(GuardValue gv |
     Guards_v3::ssaControls(v, bb, gv) and
     gv.isNullness(isnull)
@@ -263,6 +265,6 @@ predicate guardSuggestsExprMaybeNull(Expr guard, Expr e) {
 /**
  * Holds if `guard` is a guard expression that suggests that `v` might be null.
  */
-predicate guardSuggestsVarMaybeNull(Expr guard, SsaVariable v) {
+predicate guardSuggestsVarMaybeNull(Expr guard, SsaDefinition v) {
   guardSuggestsExprMaybeNull(guard, sameValue(v, _))
 }

java/ql/lib/semmle/code/java/dataflow/Nullness.qll

@@ -113,15 +113,15 @@ predicate dereference(Expr e) {
  *
  * The `VarAccess` is included for nicer error reporting.
  */
-private ControlFlowNode varDereference(SsaVariable v, VarAccess va) {
+private ControlFlowNode varDereference(SsaDefinition v, VarAccess va) {
   dereference(result.asExpr()) and
   result.asExpr() = sameValue(v, va)
 }
 
 /**
  * The first dereference of a variable in a given `BasicBlock`.
  */
-private predicate firstVarDereferenceInBlock(BasicBlock bb, SsaVariable v, VarAccess va) {
+private predicate firstVarDereferenceInBlock(BasicBlock bb, SsaDefinition v, VarAccess va) {
   exists(ControlFlowNode n |
     varDereference(v, va) = n and
     n.getBasicBlock() = bb and
@@ -135,14 +135,14 @@ private predicate firstVarDereferenceInBlock(BasicBlock bb, SsaVariable v, VarAc
 }
 
 /** A variable suspected of being `null`. */
-private predicate varMaybeNull(SsaVariable v, ControlFlowNode node, string msg, Expr reason) {
+private predicate varMaybeNull(SsaDefinition v, ControlFlowNode node, string msg, Expr reason) {
   // A variable compared to null might be null.
   exists(Expr e |
     reason = e and
     msg = "as suggested by $@ null guard" and
     guardSuggestsVarMaybeNull(e, v) and
-    node = v.getCfgNode() and
-    not v instanceof SsaPhiNode and
+    node = v.getControlFlowNode() and
+    not v instanceof SsaPhiDefinition and
     not clearlyNotNull(v) and
     // Comparisons in finally blocks are excluded since missing exception edges in the CFG could otherwise yield FPs.
     not exists(TryStmt try | try.getFinally() = e.getEnclosingStmt().getEnclosingStmt*()) and
@@ -151,13 +151,13 @@ private predicate varMaybeNull(SsaVariable v, ControlFlowNode node, string msg,
       not exists(MethodCall ma | ma.getAnArgument().getAChildExpr*() = e)
     ) and
     // Don't use a guard as reason if there is a null assignment.
-    not v.(SsaExplicitUpdate).getDefiningExpr().(VariableAssign).getSource() = nullExpr()
+    not v.(SsaExplicitWrite).getDefiningExpr().(VariableAssign).getSource() = nullExpr()
   )
   or
   // A parameter might be null if there is a null argument somewhere.
   exists(Parameter p, Expr arg |
-    v.(SsaImplicitInit).isParameterDefinition(p) and
-    node = v.getCfgNode() and
+    v.(SsaParameterInit).getParameter() = p and
+    node = v.getControlFlowNode() and
     p.getAnArgument() = arg and
     reason = arg and
     msg = "because of $@ null argument" and
@@ -167,7 +167,7 @@ private predicate varMaybeNull(SsaVariable v, ControlFlowNode node, string msg,
   or
   // If the source of a variable is null then the variable may be null.
   exists(VariableAssign def |
-    v.(SsaExplicitUpdate).getDefiningExpr() = def and
+    v.(SsaExplicitWrite).getDefiningExpr() = def and
     def.getSource() = nullExpr(node.asExpr()) and
     reason = def and
     msg = "because of $@ assignment"
@@ -179,26 +179,26 @@ private Expr nonEmptyExpr() {
   // An array creation with a known positive size is trivially non-empty.
   result.(ArrayCreationExpr).getFirstDimensionSize() > 0
   or
-  exists(SsaVariable v |
+  exists(SsaDefinition v |
     // A use of an array variable is non-empty if...
-    result = v.getAUse() and
+    result = v.getARead() and
     v.getSourceVariable().getType() instanceof Array
   |
     // ...its definition is non-empty...
-    v.(SsaExplicitUpdate).getDefiningExpr().(VariableAssign).getSource() = nonEmptyExpr()
+    v.(SsaExplicitWrite).getValue() = nonEmptyExpr()
     or
     // ...or it is guarded by a condition proving its length to be non-zero.
     exists(ConditionBlock cond, boolean branch, FieldAccess length |
       cond.controls(result.getBasicBlock(), branch) and
       cond.getCondition() = nonZeroGuard(length, branch) and
       length.getField().hasName("length") and
-      length.getQualifier() = v.getAUse()
+      length.getQualifier() = v.getARead()
     )
   )
   or
-  exists(SsaVariable v |
+  exists(SsaDefinition v |
     // A use of a Collection variable is non-empty if...
-    result = v.getAUse() and
+    result = v.getARead() and
     v.getSourceVariable().getType() instanceof CollectionType and
     exists(ConditionBlock cond, boolean branch, Expr c |
       // ...it is guarded by a condition...
@@ -216,13 +216,13 @@ private Expr nonEmptyExpr() {
       // ...and the condition proves that it is non-empty, either by using the `isEmpty` method...
       c.(MethodCall).getMethod().hasName("isEmpty") and
       branch = false and
-      c.(MethodCall).getQualifier() = v.getAUse()
+      c.(MethodCall).getQualifier() = v.getARead()
       or
       // ...or a check on its `size`.
       exists(MethodCall size |
         c = nonZeroGuard(size, branch) and
         size.getMethod().hasName("size") and
-        size.getQualifier() = v.getAUse()
+        size.getQualifier() = v.getARead()
       )
     )
   )
@@ -249,9 +249,9 @@ private predicate impossibleEdge(BasicBlock bb1, BasicBlock bb2) {
 }
 
 private module NullnessConfig implements ControlFlowReachability::ConfigSig {
-  predicate source(ControlFlowNode node, SsaVariable def) { varMaybeNull(def, node, _, _) }
+  predicate source(ControlFlowNode node, SsaDefinition def) { varMaybeNull(def, node, _, _) }
 
-  predicate sink(ControlFlowNode node, SsaVariable def) { varDereference(def, _) = node }
+  predicate sink(ControlFlowNode node, SsaDefinition def) { varDereference(def, _) = node }
 
   predicate barrierValue(GuardValue gv) { gv.isNullness(false) }
 
@@ -266,7 +266,7 @@ private module NullnessFlow = ControlFlowReachability::Flow<NullnessConfig>;
  * Holds if the dereference of `v` at `va` might be `null`.
  */
 predicate nullDeref(SsaSourceVariable v, VarAccess va, string msg, Expr reason) {
-  exists(SsaVariable origin, SsaVariable ssa, ControlFlowNode src, ControlFlowNode sink |
+  exists(SsaDefinition origin, SsaDefinition ssa, ControlFlowNode src, ControlFlowNode sink |
     varMaybeNull(origin, src, msg, reason) and
     NullnessFlow::flow(src, origin, sink, ssa) and
     ssa.getSourceVariable() = v and
@@ -278,9 +278,9 @@ predicate nullDeref(SsaSourceVariable v, VarAccess va, string msg, Expr reason)
  * A dereference of a variable that is always `null`.
  */
 predicate alwaysNullDeref(SsaSourceVariable v, VarAccess va) {
-  exists(BasicBlock bb, SsaVariable ssa |
-    forall(SsaVariable def | def = ssa.getAnUltimateDefinition() |
-      def.(SsaExplicitUpdate).getDefiningExpr().(VariableAssign).getSource() = alwaysNullExpr()
+  exists(BasicBlock bb, SsaDefinition ssa |
+    forall(SsaDefinition def | def = ssa.getAnUltimateDefinition() |
+      def.(SsaExplicitWrite).getValue() = alwaysNullExpr()
     )
     or
     nullGuardControls(ssa, true, bb) and

java/ql/lib/semmle/code/java/dataflow/RangeAnalysis.qll

@@ -242,17 +242,17 @@ module Sem implements Semantic<Location> {
 
   Type getSsaType(SsaVariable var) { result = var.getSourceVariable().getType() }
 
-  final private class FinalSsaVariable = SSA::SsaVariable;
+  final private class FinalSsaVariable = SSA::SsaDefinition;
 
   class SsaVariable extends FinalSsaVariable {
-    Expr getAUse() { result = super.getAUse() }
+    Expr getAUse() { result = super.getARead() }
   }
 
-  class SsaPhiNode extends SsaVariable instanceof SSA::SsaPhiNode {
+  class SsaPhiNode extends SsaVariable instanceof SSA::SsaPhiDefinition {
     predicate hasInputFromBlock(SsaVariable inp, BasicBlock bb) { super.hasInputFromBlock(inp, bb) }
   }
 
-  class SsaExplicitUpdate extends SsaVariable instanceof SSA::SsaExplicitUpdate {
+  class SsaExplicitUpdate extends SsaVariable instanceof SSA::SsaExplicitWrite {
     Expr getDefiningExpr() { result = super.getDefiningExpr() }
   }