C#: Assume captured variables are live at exit in SSA construction

Author: hvitved

csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll

@@ -870,6 +870,39 @@ private module CapturedVariableImpl {
       )
     )
   }
+
+  /**
+   * Holds if captured local scope variable `v` is written inside the callable
+   * to which `bb` belongs.
+   *
+   * In this case a pseudo-read is inserted at the exit node at index `i` in `bb`,
+   * in order to make the write live.
+   *
+   * Example:
+   *
+   * ```csharp
+   * class C {
+   *   void M1() {
+   *     int i = 0;
+   *     void M2() { i = 2; };
+   *     M2();
+   *     System.Console.WriteLine(i);
+   *   }
+   * }
+   * ```
+   *
+   * The write to `i` inside `M2` on line 4 is live because of the implicit call
+   * definition on line 5.
+   */
+  predicate capturedExitRead(
+    ControlFlow::BasicBlock bb, int i, CapturedWrittenLocalScopeSourceVariable v
+  ) {
+    exists(ControlFlow::Nodes::AnnotatedExitNode exit |
+      exit.isNormal() and
+      variableDefinition(bb.getAPredecessor*(), _, v, _) and
+      exit = bb.getNode(i)
+    )
+  }
 }
 
 /**
@@ -1083,7 +1116,7 @@ private predicate variableReadPseudo(ControlFlow::BasicBlock bb, int i, Ssa::Sou
   or
   refReadBeforeWrite(bb, i, v)
   or
-  capturedReadOut(bb, i, v, _, _, _)
+  CapturedVariableImpl::capturedExitRead(bb, i, v)
   or
   capturedReadIn(bb, i, v, _, _, _)
 }

csharp/ql/test/library-tests/dataflow/constructors/ConstructorFlow.expected

@@ -1,5 +1,4 @@
 testFailures
-| Constructors.cs:101:25:101:43 | // ... | Missing result:hasValueFlow=5 |
 edges
 | Constructors.cs:5:24:5:25 | [post] this access : C_no_ctor [field s1] : Object | Constructors.cs:9:27:9:41 | object creation of type C_no_ctor : C_no_ctor [field s1] : Object | provenance |  |
 | Constructors.cs:5:29:5:45 | call to method Source<Object> : Object | Constructors.cs:5:24:5:25 | [post] this access : C_no_ctor [field s1] : Object | provenance |  |
@@ -20,7 +19,12 @@ edges
 | Constructors.cs:48:32:48:39 | this : C2 [parameter o22param] : Object | Constructors.cs:48:32:48:39 | access to parameter o22param : Object | provenance |  |
 | Constructors.cs:50:32:50:36 | this : C2 [field Obj21] : Object | Constructors.cs:50:32:50:36 | this access : C2 [field Obj21] : Object | provenance |  |
 | Constructors.cs:50:32:50:36 | this access : C2 [field Obj21] : Object | Constructors.cs:50:32:50:36 | access to field Obj21 : Object | provenance |  |
+| Constructors.cs:52:35:52:35 | o : Object | Constructors.cs:54:13:54:24 | SSA def(o22param) : Object | provenance |  |
 | Constructors.cs:52:35:52:35 | o : Object | Constructors.cs:54:24:54:24 | access to parameter o : Object | provenance |  |
+| Constructors.cs:57:54:57:55 | o2 : Object | Constructors.cs:59:13:59:19 | SSA def(o1) : Object | provenance |  |
+| Constructors.cs:62:41:62:41 | o : Object | Constructors.cs:64:37:64:37 | access to parameter o : Object | provenance |  |
+| Constructors.cs:64:37:64:37 | access to parameter o : Object | Constructors.cs:57:54:57:55 | o2 : Object | provenance |  |
+| Constructors.cs:64:37:64:37 | access to parameter o : Object | Constructors.cs:64:27:64:34 | SSA def(o22param) : Object | provenance |  |
 | Constructors.cs:70:17:70:33 | call to method Source<Object> : Object | Constructors.cs:71:25:71:25 | access to local variable o : Object | provenance |  |
 | Constructors.cs:71:18:71:26 | object creation of type C1 : C1 [field Obj] : Object | Constructors.cs:72:14:72:15 | access to local variable c1 : C1 [field Obj] : Object | provenance |  |
 | Constructors.cs:71:25:71:25 | access to local variable o : Object | Constructors.cs:41:26:41:26 | o : Object | provenance |  |
@@ -46,6 +50,12 @@ edges
 | Constructors.cs:92:19:92:23 | access to local variable taint : Object | Constructors.cs:92:9:92:10 | [post] access to local variable c2 : C2 [parameter o22param] : Object | provenance |  |
 | Constructors.cs:93:14:93:15 | access to local variable c2 : C2 [parameter o22param] : Object | Constructors.cs:48:32:48:39 | this : C2 [parameter o22param] : Object | provenance |  |
 | Constructors.cs:93:14:93:15 | access to local variable c2 : C2 [parameter o22param] : Object | Constructors.cs:93:14:93:21 | access to property Obj22 | provenance |  |
+| Constructors.cs:99:21:99:37 | call to method Source<Object> : Object | Constructors.cs:100:25:100:29 | access to local variable taint : Object | provenance |  |
+| Constructors.cs:100:9:100:10 | [post] access to local variable c2 : C2 [parameter o22param] : Object | Constructors.cs:101:14:101:15 | access to local variable c2 : C2 [parameter o22param] : Object | provenance |  |
+| Constructors.cs:100:25:100:29 | access to local variable taint : Object | Constructors.cs:62:41:62:41 | o : Object | provenance |  |
+| Constructors.cs:100:25:100:29 | access to local variable taint : Object | Constructors.cs:100:9:100:10 | [post] access to local variable c2 : C2 [parameter o22param] : Object | provenance |  |
+| Constructors.cs:101:14:101:15 | access to local variable c2 : C2 [parameter o22param] : Object | Constructors.cs:48:32:48:39 | this : C2 [parameter o22param] : Object | provenance |  |
+| Constructors.cs:101:14:101:15 | access to local variable c2 : C2 [parameter o22param] : Object | Constructors.cs:101:14:101:21 | access to property Obj22 | provenance |  |
 nodes
 | Constructors.cs:5:24:5:25 | [post] this access : C_no_ctor [field s1] : Object | semmle.label | [post] this access : C_no_ctor [field s1] : Object |
 | Constructors.cs:5:29:5:45 | call to method Source<Object> : Object | semmle.label | call to method Source<Object> : Object |
@@ -74,7 +84,13 @@ nodes
 | Constructors.cs:50:32:50:36 | this : C2 [field Obj21] : Object | semmle.label | this : C2 [field Obj21] : Object |
 | Constructors.cs:50:32:50:36 | this access : C2 [field Obj21] : Object | semmle.label | this access : C2 [field Obj21] : Object |
 | Constructors.cs:52:35:52:35 | o : Object | semmle.label | o : Object |
+| Constructors.cs:54:13:54:24 | SSA def(o22param) : Object | semmle.label | SSA def(o22param) : Object |
 | Constructors.cs:54:24:54:24 | access to parameter o : Object | semmle.label | access to parameter o : Object |
+| Constructors.cs:57:54:57:55 | o2 : Object | semmle.label | o2 : Object |
+| Constructors.cs:59:13:59:19 | SSA def(o1) : Object | semmle.label | SSA def(o1) : Object |
+| Constructors.cs:62:41:62:41 | o : Object | semmle.label | o : Object |
+| Constructors.cs:64:27:64:34 | SSA def(o22param) : Object | semmle.label | SSA def(o22param) : Object |
+| Constructors.cs:64:37:64:37 | access to parameter o : Object | semmle.label | access to parameter o : Object |
 | Constructors.cs:70:17:70:33 | call to method Source<Object> : Object | semmle.label | call to method Source<Object> : Object |
 | Constructors.cs:71:18:71:26 | object creation of type C1 : C1 [field Obj] : Object | semmle.label | object creation of type C1 : C1 [field Obj] : Object |
 | Constructors.cs:71:25:71:25 | access to local variable o : Object | semmle.label | access to local variable o : Object |
@@ -97,14 +113,23 @@ nodes
 | Constructors.cs:92:19:92:23 | access to local variable taint : Object | semmle.label | access to local variable taint : Object |
 | Constructors.cs:93:14:93:15 | access to local variable c2 : C2 [parameter o22param] : Object | semmle.label | access to local variable c2 : C2 [parameter o22param] : Object |
 | Constructors.cs:93:14:93:21 | access to property Obj22 | semmle.label | access to property Obj22 |
+| Constructors.cs:99:21:99:37 | call to method Source<Object> : Object | semmle.label | call to method Source<Object> : Object |
+| Constructors.cs:100:9:100:10 | [post] access to local variable c2 : C2 [parameter o22param] : Object | semmle.label | [post] access to local variable c2 : C2 [parameter o22param] : Object |
+| Constructors.cs:100:25:100:29 | access to local variable taint : Object | semmle.label | access to local variable taint : Object |
+| Constructors.cs:101:14:101:15 | access to local variable c2 : C2 [parameter o22param] : Object | semmle.label | access to local variable c2 : C2 [parameter o22param] : Object |
+| Constructors.cs:101:14:101:21 | access to property Obj22 | semmle.label | access to property Obj22 |
 subpaths
+| Constructors.cs:64:37:64:37 | access to parameter o : Object | Constructors.cs:57:54:57:55 | o2 : Object | Constructors.cs:59:13:59:19 | SSA def(o1) : Object | Constructors.cs:64:27:64:34 | SSA def(o22param) : Object |
 | Constructors.cs:71:25:71:25 | access to local variable o : Object | Constructors.cs:41:26:41:26 | o : Object | Constructors.cs:41:32:41:34 | [post] this access : C1 [field Obj] : Object | Constructors.cs:71:18:71:26 | object creation of type C1 : C1 [field Obj] : Object |
 | Constructors.cs:79:25:79:27 | access to local variable o21 : Object | Constructors.cs:44:28:44:35 | o21param : Object | Constructors.cs:46:23:46:27 | [post] this access : C2 [field Obj21] : Object | Constructors.cs:79:18:79:33 | object creation of type C2 : C2 [field Obj21] : Object |
 | Constructors.cs:79:30:79:32 | access to local variable o22 : Object | Constructors.cs:44:45:44:52 | o22param : Object | Constructors.cs:44:45:44:52 | o22param : Object | Constructors.cs:79:18:79:33 | object creation of type C2 : C2 [parameter o22param] : Object |
 | Constructors.cs:81:14:81:15 | access to local variable c2 : C2 [parameter o22param] : Object | Constructors.cs:48:32:48:39 | this : C2 [parameter o22param] : Object | Constructors.cs:48:32:48:39 | access to parameter o22param : Object | Constructors.cs:81:14:81:21 | access to property Obj22 |
 | Constructors.cs:82:14:82:15 | access to local variable c2 : C2 [field Obj21] : Object | Constructors.cs:50:32:50:36 | this : C2 [field Obj21] : Object | Constructors.cs:50:32:50:36 | access to field Obj21 : Object | Constructors.cs:82:14:82:21 | access to property Obj23 |
+| Constructors.cs:92:19:92:23 | access to local variable taint : Object | Constructors.cs:52:35:52:35 | o : Object | Constructors.cs:54:13:54:24 | SSA def(o22param) : Object | Constructors.cs:92:9:92:10 | [post] access to local variable c2 : C2 [parameter o22param] : Object |
 | Constructors.cs:92:19:92:23 | access to local variable taint : Object | Constructors.cs:52:35:52:35 | o : Object | Constructors.cs:54:24:54:24 | access to parameter o : Object | Constructors.cs:92:9:92:10 | [post] access to local variable c2 : C2 [parameter o22param] : Object |
 | Constructors.cs:93:14:93:15 | access to local variable c2 : C2 [parameter o22param] : Object | Constructors.cs:48:32:48:39 | this : C2 [parameter o22param] : Object | Constructors.cs:48:32:48:39 | access to parameter o22param : Object | Constructors.cs:93:14:93:21 | access to property Obj22 |
+| Constructors.cs:100:25:100:29 | access to local variable taint : Object | Constructors.cs:62:41:62:41 | o : Object | Constructors.cs:64:27:64:34 | SSA def(o22param) : Object | Constructors.cs:100:9:100:10 | [post] access to local variable c2 : C2 [parameter o22param] : Object |
+| Constructors.cs:101:14:101:15 | access to local variable c2 : C2 [parameter o22param] : Object | Constructors.cs:48:32:48:39 | this : C2 [parameter o22param] : Object | Constructors.cs:48:32:48:39 | access to parameter o22param : Object | Constructors.cs:101:14:101:21 | access to property Obj22 |
 #select
 | Constructors.cs:15:18:15:19 | access to field s1 | Constructors.cs:5:29:5:45 | call to method Source<Object> : Object | Constructors.cs:15:18:15:19 | access to field s1 | $@ | Constructors.cs:5:29:5:45 | call to method Source<Object> : Object | call to method Source<Object> : Object |
 | Constructors.cs:33:18:33:19 | access to field s1 | Constructors.cs:21:29:21:45 | call to method Source<Object> : Object | Constructors.cs:33:18:33:19 | access to field s1 | $@ | Constructors.cs:21:29:21:45 | call to method Source<Object> : Object | call to method Source<Object> : Object |
@@ -113,3 +138,4 @@ subpaths
 | Constructors.cs:81:14:81:21 | access to property Obj22 | Constructors.cs:78:19:78:35 | call to method Source<Object> : Object | Constructors.cs:81:14:81:21 | access to property Obj22 | $@ | Constructors.cs:78:19:78:35 | call to method Source<Object> : Object | call to method Source<Object> : Object |
 | Constructors.cs:82:14:82:21 | access to property Obj23 | Constructors.cs:77:19:77:35 | call to method Source<Object> : Object | Constructors.cs:82:14:82:21 | access to property Obj23 | $@ | Constructors.cs:77:19:77:35 | call to method Source<Object> : Object | call to method Source<Object> : Object |
 | Constructors.cs:93:14:93:21 | access to property Obj22 | Constructors.cs:91:21:91:37 | call to method Source<Object> : Object | Constructors.cs:93:14:93:21 | access to property Obj22 | $@ | Constructors.cs:91:21:91:37 | call to method Source<Object> : Object | call to method Source<Object> : Object |
+| Constructors.cs:101:14:101:21 | access to property Obj22 | Constructors.cs:99:21:99:37 | call to method Source<Object> : Object | Constructors.cs:101:14:101:21 | access to property Obj22 | $@ | Constructors.cs:99:21:99:37 | call to method Source<Object> : Object | call to method Source<Object> : Object |

csharp/ql/test/library-tests/dataflow/ssa/Capture.cs

@@ -148,7 +148,7 @@ void M4()
         void M5()
         {
             Use(e);
-            e = 0; // Should *not* get an SSA definition (`e` is never read)
+            e = 0; // Should *not* get an SSA definition (`e` is never read), but does since captured variables are conservatively considered live
         }
 
         var f = 12;
@@ -165,7 +165,7 @@ void M7()
             Use(g);
         };
 
-        var h = 12; // Should *not* get an SSA definition
+        var h = 12; // Should *not* get an SSA definition, but does since captured variables are conservatively considered live
         void M8()
         {
             h = 0;

csharp/ql/test/library-tests/dataflow/ssa/SSAPhi.expected

@@ -4,6 +4,7 @@
 | DefUse.cs:6:14:6:14 | y | DefUse.cs:23:9:23:15 | SSA phi(y) | DefUse.cs:18:13:18:18 | SSA def(y) |
 | DefUse.cs:6:14:6:14 | y | DefUse.cs:42:9:42:15 | SSA phi(y) | DefUse.cs:28:13:28:18 | SSA def(y) |
 | DefUse.cs:6:14:6:14 | y | DefUse.cs:42:9:42:15 | SSA phi(y) | DefUse.cs:39:13:39:18 | SSA def(y) |
+| DefUse.cs:59:13:59:13 | i | DefUse.cs:3:17:3:19 | SSA phi(i) | DefUse.cs:76:9:76:11 | SSA def(i) |
 | DefUse.cs:79:13:79:14 | x1 | DefUse.cs:80:30:80:31 | SSA phi(x1) | DefUse.cs:79:13:79:18 | SSA def(x1) |
 | DefUse.cs:79:13:79:14 | x1 | DefUse.cs:80:30:80:31 | SSA phi(x1) | DefUse.cs:80:30:80:31 | SSA def(x1) |
 | DefUse.cs:97:13:97:14 | x5 | DefUse.cs:98:16:98:17 | SSA phi(x5) | DefUse.cs:97:13:97:18 | SSA def(x5) |

csharp/ql/test/library-tests/dataflow/ssa/SsaCapturedVariableDef.expected

@@ -27,14 +27,19 @@
 | in | Properties.cs:74:23:74:23 | a | Properties.cs:74:23:74:54 | SSA def(a) | Properties.cs:82:24:82:46 | SSA capture def(a) | Properties.cs:82:9:82:47 | call to method Select<Int32,Int32> | true |
 | in | Properties.cs:75:23:75:23 | b | Properties.cs:75:23:75:35 | SSA def(b) | Properties.cs:85:24:85:46 | SSA capture def(b) | Properties.cs:85:9:85:47 | call to method Select<Int32,Int32> | true |
 | out | Capture.cs:6:16:6:16 | i | Capture.cs:13:13:13:17 | SSA def(i) | Capture.cs:38:9:38:11 | SSA call def(i) | Capture.cs:38:9:38:11 | delegate call | false |
+| out | Capture.cs:6:16:6:16 | i | Capture.cs:13:13:13:17 | SSA def(i) | Capture.cs:44:9:44:12 | SSA call def(i) | Capture.cs:44:9:44:12 | call to method M | true |
 | out | Capture.cs:8:13:8:13 | x | Capture.cs:15:13:15:17 | SSA def(x) | Capture.cs:38:9:38:11 | SSA call def(x) | Capture.cs:38:9:38:11 | delegate call | false |
 | out | Capture.cs:8:13:8:13 | x | Capture.cs:15:13:15:17 | SSA def(x) | Capture.cs:44:9:44:12 | SSA call def(x) | Capture.cs:44:9:44:12 | call to method M | true |
 | out | Capture.cs:29:13:29:13 | z | Capture.cs:30:28:30:32 | SSA def(z) | Capture.cs:32:9:32:11 | SSA call def(z) | Capture.cs:32:9:32:11 | delegate call | false |
+| out | Capture.cs:29:13:29:13 | z | Capture.cs:30:28:30:32 | SSA def(z) | Capture.cs:44:9:44:12 | SSA call def(z) | Capture.cs:44:9:44:12 | call to method M | true |
 | out | Capture.cs:50:20:50:20 | a | Capture.cs:52:28:52:40 | SSA def(a) | Capture.cs:53:9:53:11 | SSA call def(a) | Capture.cs:53:9:53:11 | delegate call | false |
 | out | Capture.cs:59:13:59:13 | i | Capture.cs:60:36:60:38 | SSA def(i) | Capture.cs:61:9:61:25 | SSA call def(i) | Capture.cs:61:9:61:25 | call to method Select<String,Int32> | true |
 | out | Capture.cs:75:13:75:13 | i | Capture.cs:76:80:76:80 | SSA def(i) | Capture.cs:77:9:77:25 | SSA call def(i) | Capture.cs:77:9:77:25 | call to method Select<String,Int32> | true |
+| out | Capture.cs:102:13:102:13 | z | Capture.cs:105:13:105:17 | SSA def(z) | Capture.cs:103:9:107:10 | SSA call def(z) | Capture.cs:103:9:107:10 | call to local function fn | true |
+| out | Capture.cs:122:13:122:13 | b | Capture.cs:125:13:125:17 | SSA def(b) | Capture.cs:128:9:128:12 | SSA call def(b) | Capture.cs:128:9:128:12 | call to local function M2 | false |
 | out | Capture.cs:130:13:130:13 | c | Capture.cs:133:13:133:17 | SSA def(c) | Capture.cs:136:9:136:12 | SSA call def(c) | Capture.cs:136:9:136:12 | call to local function M3 | false |
 | out | Capture.cs:139:13:139:13 | d | Capture.cs:142:13:142:17 | SSA def(d) | Capture.cs:144:9:144:12 | SSA call def(d) | Capture.cs:144:9:144:12 | call to local function M4 | false |
+| out | Capture.cs:154:13:154:13 | f | Capture.cs:158:13:158:17 | SSA def(f) | Capture.cs:160:9:160:12 | SSA call def(f) | Capture.cs:160:9:160:12 | call to local function M6 | false |
 | out | Capture.cs:168:13:168:13 | h | Capture.cs:174:17:174:21 | SSA def(h) | Capture.cs:176:13:176:16 | SSA call def(h) | Capture.cs:176:13:176:16 | call to local function M9 | false |
 | out | Capture.cs:229:13:229:13 | i | Capture.cs:235:21:235:25 | SSA def(i) | Capture.cs:236:9:236:12 | SSA call def(i) | Capture.cs:236:9:236:12 | call to local function M3 | false |
 | out | DefUse.cs:167:23:167:23 | i | DefUse.cs:173:13:173:17 | SSA def(i) | DefUse.cs:181:9:181:11 | SSA call def(i) | DefUse.cs:181:9:181:11 | delegate call | false |