Java: Replace SSA class wrappers with shared code.

Author: aschackmull

java/ql/lib/semmle/code/java/dataflow/DefUse.qll

@@ -34,8 +34,12 @@ predicate useUsePair(VarRead use1, VarRead use2) { adjacentUseUse+(use1, use2) }
  * Other paths may also exist, so the SSA variables in `def` and `use` can be different.
  */
 predicate defUsePair(VariableUpdate def, VarRead use) {
-  exists(SsaVariable v |
-    v.getAUse() = use and v.getAnUltimateDefinition().(SsaExplicitUpdate).getDefiningExpr() = def
+  exists(SsaDefinition v, SsaExplicitWrite write |
+    v.getARead() = use and write.getDefiningExpr() = def
+  |
+    v.getAnUltimateDefinition() = write
+    or
+    v.(SsaCapturedDefinition).getAnUltimateCapturedDefinition() = write
   )
 }
 
@@ -46,7 +50,9 @@ predicate defUsePair(VariableUpdate def, VarRead use) {
  * Other paths may also exist, so the SSA variables can be different.
  */
 predicate parameterDefUsePair(Parameter p, VarRead use) {
-  exists(SsaVariable v |
-    v.getAUse() = use and v.getAnUltimateDefinition().(SsaImplicitInit).isParameterDefinition(p)
+  exists(SsaDefinition v, SsaParameterInit init | v.getARead() = use and init.getParameter() = p |
+    v.getAnUltimateDefinition() = init
+    or
+    v.(SsaCapturedDefinition).getAnUltimateCapturedDefinition() = init
   )
 }

java/ql/lib/semmle/code/java/dataflow/NullGuards.qll

@@ -26,9 +26,9 @@ Expr enumConstEquality(Expr e, boolean polarity, EnumConstant c) {
 }
 
 /** Gets an instanceof expression of `v` with type `type` */
-InstanceOfExpr instanceofExpr(SsaVariable v, RefType type) {
+InstanceOfExpr instanceofExpr(SsaDefinition v, RefType type) {
   result.getCheckedType() = type and
-  result.getExpr() = v.getAUse()
+  result.getExpr() = v.getARead()
 }
 
 /**
@@ -37,8 +37,8 @@ InstanceOfExpr instanceofExpr(SsaVariable v, RefType type) {
  *
  * Note this includes Kotlin's `==` and `!=` operators, which are value-equality tests.
  */
-EqualityTest varEqualityTestExpr(SsaVariable v1, SsaVariable v2, boolean isEqualExpr) {
-  result.hasOperands(v1.getAUse(), v2.getAUse()) and
+EqualityTest varEqualityTestExpr(SsaDefinition v1, SsaDefinition v2, boolean isEqualExpr) {
+  result.hasOperands(v1.getARead(), v2.getARead()) and
   isEqualExpr = result.polarity()
 }
 
@@ -91,37 +91,37 @@ Expr clearlyNotNullExpr(Expr reason) {
     (reason = r1 or reason = r2)
   )
   or
-  exists(SsaVariable v, boolean branch, VarRead rval, Guard guard |
+  exists(SsaDefinition v, boolean branch, VarRead rval, Guard guard |
     guard = directNullGuard(v, branch, false) and
     guard.controls(rval.getBasicBlock(), branch) and
     reason = guard and
-    rval = v.getAUse() and
+    rval = v.getARead() and
     result = rval and
     not result = baseNotNullExpr()
   )
   or
-  exists(SsaVariable v |
+  exists(SsaDefinition v |
     clearlyNotNull(v, reason) and
-    result = v.getAUse() and
+    result = v.getARead() and
     not result = baseNotNullExpr()
   )
 }
 
 /** Holds if `v` is an SSA variable that is provably not `null`. */
-predicate clearlyNotNull(SsaVariable v, Expr reason) {
+predicate clearlyNotNull(SsaDefinition v, Expr reason) {
   exists(Expr src |
-    src = v.(SsaExplicitUpdate).getDefiningExpr().(VariableAssign).getSource() and
+    src = v.(SsaExplicitWrite).getValue() and
     src = clearlyNotNullExpr(reason)
   )
   or
   exists(CatchClause cc, LocalVariableDeclExpr decl |
     decl = cc.getVariable() and
-    decl = v.(SsaExplicitUpdate).getDefiningExpr() and
+    decl = v.(SsaExplicitWrite).getDefiningExpr() and
     reason = decl
   )
   or
-  exists(SsaVariable captured |
-    v.(SsaImplicitInit).captures(captured) and
+  exists(SsaDefinition captured |
+    v.(SsaCapturedDefinition).captures(captured) and
     clearlyNotNull(captured, reason)
   )
   or
@@ -136,7 +136,7 @@ predicate clearlyNotNull(SsaVariable v, Expr reason) {
 Expr clearlyNotNullExpr() { result = clearlyNotNullExpr(_) }
 
 /** Holds if `v` is an SSA variable that is provably not `null`. */
-predicate clearlyNotNull(SsaVariable v) { clearlyNotNull(v, _) }
+predicate clearlyNotNull(SsaDefinition v) { clearlyNotNull(v, _) }
 
 /**
  * Holds if the evaluation of a call to `m` resulting in the value `branch`
@@ -207,7 +207,7 @@ deprecated Expr basicOrCustomNullGuard(Expr e, boolean branch, boolean isnull) {
  * If `result` evaluates to `branch`, then `v` is guaranteed to be null if `isnull`
  * is true, and non-null if `isnull` is false.
  */
-Expr directNullGuard(SsaVariable v, boolean branch, boolean isnull) {
+Expr directNullGuard(SsaDefinition v, boolean branch, boolean isnull) {
   result = basicNullGuard(sameValue(v, _), branch, isnull)
 }
 
@@ -219,7 +219,7 @@ Expr directNullGuard(SsaVariable v, boolean branch, boolean isnull) {
  * If `result` evaluates to `branch`, then `v` is guaranteed to be null if `isnull`
  * is true, and non-null if `isnull` is false.
  */
-deprecated Guard nullGuard(SsaVariable v, boolean branch, boolean isnull) {
+deprecated Guard nullGuard(SsaDefinition v, boolean branch, boolean isnull) {
   result = directNullGuard(v, branch, isnull)
 }
 
@@ -228,7 +228,9 @@ deprecated Guard nullGuard(SsaVariable v, boolean branch, boolean isnull) {
  * from `bb1` to `bb2` implies that `v` is guaranteed to be null if `isnull` is
  * true, and non-null if `isnull` is false.
  */
-predicate nullGuardControlsBranchEdge(SsaVariable v, boolean isnull, BasicBlock bb1, BasicBlock bb2) {
+predicate nullGuardControlsBranchEdge(
+  SsaDefinition v, boolean isnull, BasicBlock bb1, BasicBlock bb2
+) {
   exists(GuardValue gv |
     Guards_v3::ssaControlsBranchEdge(v, bb1, bb2, gv) and
     gv.isNullness(isnull)
@@ -240,7 +242,7 @@ predicate nullGuardControlsBranchEdge(SsaVariable v, boolean isnull, BasicBlock
  * `bb` `v` is guaranteed to be null if `isnull` is true, and non-null if
  * `isnull` is false.
  */
-predicate nullGuardControls(SsaVariable v, boolean isnull, BasicBlock bb) {
+predicate nullGuardControls(SsaDefinition v, boolean isnull, BasicBlock bb) {
   exists(GuardValue gv |
     Guards_v3::ssaControls(v, bb, gv) and
     gv.isNullness(isnull)
@@ -263,6 +265,6 @@ predicate guardSuggestsExprMaybeNull(Expr guard, Expr e) {
 /**
  * Holds if `guard` is a guard expression that suggests that `v` might be null.
  */
-predicate guardSuggestsVarMaybeNull(Expr guard, SsaVariable v) {
+predicate guardSuggestsVarMaybeNull(Expr guard, SsaDefinition v) {
   guardSuggestsExprMaybeNull(guard, sameValue(v, _))
 }

java/ql/lib/semmle/code/java/dataflow/Nullness.qll

@@ -113,15 +113,15 @@ predicate dereference(Expr e) {
  *
  * The `VarAccess` is included for nicer error reporting.
  */
-private ControlFlowNode varDereference(SsaVariable v, VarAccess va) {
+private ControlFlowNode varDereference(SsaDefinition v, VarAccess va) {
   dereference(result.asExpr()) and
   result.asExpr() = sameValue(v, va)
 }
 
 /**
  * The first dereference of a variable in a given `BasicBlock`.
  */
-private predicate firstVarDereferenceInBlock(BasicBlock bb, SsaVariable v, VarAccess va) {
+private predicate firstVarDereferenceInBlock(BasicBlock bb, SsaDefinition v, VarAccess va) {
   exists(ControlFlowNode n |
     varDereference(v, va) = n and
     n.getBasicBlock() = bb and
@@ -135,14 +135,14 @@ private predicate firstVarDereferenceInBlock(BasicBlock bb, SsaVariable v, VarAc
 }
 
 /** A variable suspected of being `null`. */
-private predicate varMaybeNull(SsaVariable v, ControlFlowNode node, string msg, Expr reason) {
+private predicate varMaybeNull(SsaDefinition v, ControlFlowNode node, string msg, Expr reason) {
   // A variable compared to null might be null.
   exists(Expr e |
     reason = e and
     msg = "as suggested by $@ null guard" and
     guardSuggestsVarMaybeNull(e, v) and
-    node = v.getCfgNode() and
-    not v instanceof SsaPhiNode and
+    node = v.getControlFlowNode() and
+    not v instanceof SsaPhiDefinition and
     not clearlyNotNull(v) and
     // Comparisons in finally blocks are excluded since missing exception edges in the CFG could otherwise yield FPs.
     not exists(TryStmt try | try.getFinally() = e.getEnclosingStmt().getEnclosingStmt*()) and
@@ -151,13 +151,13 @@ private predicate varMaybeNull(SsaVariable v, ControlFlowNode node, string msg,
       not exists(MethodCall ma | ma.getAnArgument().getAChildExpr*() = e)
     ) and
     // Don't use a guard as reason if there is a null assignment.
-    not v.(SsaExplicitUpdate).getDefiningExpr().(VariableAssign).getSource() = nullExpr()
+    not v.(SsaExplicitWrite).getDefiningExpr().(VariableAssign).getSource() = nullExpr()
   )
   or
   // A parameter might be null if there is a null argument somewhere.
   exists(Parameter p, Expr arg |
-    v.(SsaImplicitInit).isParameterDefinition(p) and
-    node = v.getCfgNode() and
+    v.(SsaParameterInit).getParameter() = p and
+    node = v.getControlFlowNode() and
     p.getAnArgument() = arg and
     reason = arg and
     msg = "because of $@ null argument" and
@@ -167,7 +167,7 @@ private predicate varMaybeNull(SsaVariable v, ControlFlowNode node, string msg,
   or
   // If the source of a variable is null then the variable may be null.
   exists(VariableAssign def |
-    v.(SsaExplicitUpdate).getDefiningExpr() = def and
+    v.(SsaExplicitWrite).getDefiningExpr() = def and
     def.getSource() = nullExpr(node.asExpr()) and
     reason = def and
     msg = "because of $@ assignment"
@@ -179,26 +179,26 @@ private Expr nonEmptyExpr() {
   // An array creation with a known positive size is trivially non-empty.
   result.(ArrayCreationExpr).getFirstDimensionSize() > 0
   or
-  exists(SsaVariable v |
+  exists(SsaDefinition v |
     // A use of an array variable is non-empty if...
-    result = v.getAUse() and
+    result = v.getARead() and
     v.getSourceVariable().getType() instanceof Array
   |
     // ...its definition is non-empty...
-    v.(SsaExplicitUpdate).getDefiningExpr().(VariableAssign).getSource() = nonEmptyExpr()
+    v.(SsaExplicitWrite).getValue() = nonEmptyExpr()
     or
     // ...or it is guarded by a condition proving its length to be non-zero.
     exists(ConditionBlock cond, boolean branch, FieldAccess length |
       cond.controls(result.getBasicBlock(), branch) and
       cond.getCondition() = nonZeroGuard(length, branch) and
       length.getField().hasName("length") and
-      length.getQualifier() = v.getAUse()
+      length.getQualifier() = v.getARead()
     )
   )
   or
-  exists(SsaVariable v |
+  exists(SsaDefinition v |
     // A use of a Collection variable is non-empty if...
-    result = v.getAUse() and
+    result = v.getARead() and
     v.getSourceVariable().getType() instanceof CollectionType and
     exists(ConditionBlock cond, boolean branch, Expr c |
       // ...it is guarded by a condition...
@@ -216,13 +216,13 @@ private Expr nonEmptyExpr() {
       // ...and the condition proves that it is non-empty, either by using the `isEmpty` method...
       c.(MethodCall).getMethod().hasName("isEmpty") and
       branch = false and
-      c.(MethodCall).getQualifier() = v.getAUse()
+      c.(MethodCall).getQualifier() = v.getARead()
       or
       // ...or a check on its `size`.
       exists(MethodCall size |
         c = nonZeroGuard(size, branch) and
         size.getMethod().hasName("size") and
-        size.getQualifier() = v.getAUse()
+        size.getQualifier() = v.getARead()
       )
     )
   )
@@ -266,7 +266,7 @@ private module NullnessFlow = ControlFlowReachability::Flow<NullnessConfig>;
  * Holds if the dereference of `v` at `va` might be `null`.
  */
 predicate nullDeref(SsaSourceVariable v, VarAccess va, string msg, Expr reason) {
-  exists(SsaVariable origin, SsaVariable ssa, ControlFlowNode src, ControlFlowNode sink |
+  exists(SsaDefinition origin, SsaDefinition ssa, ControlFlowNode src, ControlFlowNode sink |
     varMaybeNull(origin, src, msg, reason) and
     NullnessFlow::flow(src, origin, sink, ssa) and
     ssa.getSourceVariable() = v and
@@ -278,9 +278,9 @@ predicate nullDeref(SsaSourceVariable v, VarAccess va, string msg, Expr reason)
  * A dereference of a variable that is always `null`.
  */
 predicate alwaysNullDeref(SsaSourceVariable v, VarAccess va) {
-  exists(BasicBlock bb, SsaVariable ssa |
-    forall(SsaVariable def | def = ssa.getAnUltimateDefinition() |
-      def.(SsaExplicitUpdate).getDefiningExpr().(VariableAssign).getSource() = alwaysNullExpr()
+  exists(BasicBlock bb, SsaDefinition ssa |
+    forall(SsaDefinition def | def = ssa.getAnUltimateDefinition() |
+      def.(SsaExplicitWrite).getValue() = alwaysNullExpr()
     )
     or
     nullGuardControls(ssa, true, bb) and

java/ql/lib/semmle/code/java/dataflow/RangeAnalysis.qll

@@ -242,17 +242,17 @@ module Sem implements Semantic<Location> {
 
   Type getSsaType(SsaVariable var) { result = var.getSourceVariable().getType() }
 
-  final private class FinalSsaVariable = SSA::SsaVariable;
+  final private class FinalSsaVariable = SSA::SsaDefinition;
 
   class SsaVariable extends FinalSsaVariable {
-    Expr getAUse() { result = super.getAUse() }
+    Expr getAUse() { result = super.getARead() }
   }
 
-  class SsaPhiNode extends SsaVariable instanceof SSA::SsaPhiNode {
+  class SsaPhiNode extends SsaVariable instanceof SSA::SsaPhiDefinition {
     predicate hasInputFromBlock(SsaVariable inp, BasicBlock bb) { super.hasInputFromBlock(inp, bb) }
   }
 
-  class SsaExplicitUpdate extends SsaVariable instanceof SSA::SsaExplicitUpdate {
+  class SsaExplicitUpdate extends SsaVariable instanceof SSA::SsaExplicitWrite {
     Expr getDefiningExpr() { result = super.getDefiningExpr() }
   }
 

java/ql/lib/semmle/code/java/dataflow/RangeUtils.qll

@@ -33,14 +33,14 @@ predicate eqFlowCond = U::eqFlowCond/5;
  * `SsaPhiNode` in order for the reflexive case of `nonNullSsaFwdStep*(..)` to
  * have non-`SsaPhiNode` results.
  */
-private predicate nonNullSsaFwdStep(SsaVariable v, SsaVariable phi) {
-  exists(SsaExplicitUpdate vnull, SsaPhiNode phi0 | phi0 = phi |
-    2 = strictcount(phi0.getAPhiInput()) and
-    vnull = phi0.getAPhiInput() and
-    v = phi0.getAPhiInput() and
+private predicate nonNullSsaFwdStep(SsaDefinition v, SsaDefinition phi) {
+  exists(SsaExplicitWrite vnull, SsaPhiDefinition phi0 | phi0 = phi |
+    2 = strictcount(phi0.getAnInput()) and
+    vnull = phi0.getAnInput() and
+    v = phi0.getAnInput() and
     not backEdge(phi0, v, _) and
     vnull != v and
-    vnull.getDefiningExpr().(VariableAssign).getSource() instanceof NullLiteral
+    vnull.getValue() instanceof NullLiteral
   )
 }
 
@@ -56,13 +56,13 @@ private predicate nonNullDefStep(Expr e1, Expr e2) {
  * explicit `ArrayCreationExpr` definition and that the definition does not go
  * through a back edge.
  */
-ArrayCreationExpr getArrayDef(SsaVariable v) {
+ArrayCreationExpr getArrayDef(SsaDefinition v) {
   exists(Expr src |
-    v.(SsaExplicitUpdate).getDefiningExpr().(VariableAssign).getSource() = src and
+    v.(SsaExplicitWrite).getValue() = src and
     nonNullDefStep*(result, src)
   )
   or
-  exists(SsaVariable mid |
+  exists(SsaDefinition mid |
     result = getArrayDef(mid) and
     nonNullSsaFwdStep(mid, v)
   )
@@ -74,9 +74,9 @@ ArrayCreationExpr getArrayDef(SsaVariable v) {
  * `arrlen` without going through a back edge.
  */
 private predicate arrayLengthDef(FieldRead arrlen, ArrayCreationExpr def) {
-  exists(SsaVariable arr |
+  exists(SsaDefinition arr |
     arrlen.getField() instanceof ArrayLengthField and
-    arrlen.getQualifier() = arr.getAUse() and
+    arrlen.getQualifier() = arr.getARead() and
     def = getArrayDef(arr)
   )
 }
@@ -86,9 +86,9 @@ pragma[nomagic]
 private predicate constantIntegerExpr(Expr e, int val) {
   e.(CompileTimeConstantExpr).getIntValue() = val
   or
-  exists(SsaExplicitUpdate v, Expr src |
-    e = v.getAUse() and
-    src = v.getDefiningExpr().(VariableAssign).getSource() and
+  exists(SsaExplicitWrite v, Expr src |
+    e = v.getARead() and
+    src = v.getValue() and
     constantIntegerExpr(src, val)
   )
   or
@@ -112,9 +112,9 @@ pragma[nomagic]
 private predicate constantBooleanExpr(Expr e, boolean val) {
   e.(CompileTimeConstantExpr).getBooleanValue() = val
   or
-  exists(SsaExplicitUpdate v, Expr src |
-    e = v.getAUse() and
-    src = v.getDefiningExpr().(VariableAssign).getSource() and
+  exists(SsaExplicitWrite v, Expr src |
+    e = v.getARead() and
+    src = v.getValue() and
     constantBooleanExpr(src, val)
   )
   or
@@ -125,9 +125,9 @@ pragma[nomagic]
 private predicate constantStringExpr(Expr e, string val) {
   e.(CompileTimeConstantExpr).getStringValue() = val
   or
-  exists(SsaExplicitUpdate v, Expr src |
-    e = v.getAUse() and
-    src = v.getDefiningExpr().(VariableAssign).getSource() and
+  exists(SsaExplicitWrite v, Expr src |
+    e = v.getARead() and
+    src = v.getValue() and
     constantStringExpr(src, val)
   )
 }