Java: Rename StmtExpr to ValueDiscardingExpr

Marcono1234 · Marcono1234 · commit 36f56b5a189c · 2022-05-09T00:27:15.000+02:00
As mentioned by aschackmull during review, StatementExpression as defined
by the JLS only lists possible types of expressions, it does _not_ specify
that their value is discarded. Therefore, for example any method call could
be considered a StatementExpression.

The name ValueDiscardingExpr was chosen as replacement because the JLS uses
the phrase "if the expression has a value, the value is discarded" multiple
times.
diff --git a/java/ql/lib/change-notes/2022-03-27-statement-expression.md b/java/ql/lib/change-notes/2022-03-27-statement-expression.md
diff --git a/java/ql/lib/change-notes/2022-05-09-value-discarding-expression.md b/java/ql/lib/change-notes/2022-05-09-value-discarding-expression.md
@@ -0,0 +1,4 @@
+---
+category: feature
+---
+* The QL class `ValueDiscardingExpr` has been added, representing expressions for which the value of the expression as a whole is discarded.
diff --git a/java/ql/lib/semmle/code/java/Collections.qll b/java/ql/lib/semmle/code/java/Collections.qll
@@ -84,7 +84,7 @@ class CollectionMutation extends MethodAccess {
   CollectionMutation() { this.getMethod() instanceof CollectionMutator }
 
   /** Holds if the result of this call is not immediately discarded. */
-  predicate resultIsChecked() { not this instanceof StmtExpr }
+  predicate resultIsChecked() { not this instanceof ValueDiscardingExpr }
 }
 
 /** A method that queries the contents of a collection without mutating it. */
diff --git a/java/ql/lib/semmle/code/java/Expr.qll b/java/ql/lib/semmle/code/java/Expr.qll
@@ -2135,38 +2135,45 @@ class Argument extends Expr {
 }
 
 /**
- * A statement expression, as specified by JLS 17 section 14.8.
- * The result of a statement expression, if any, is discarded.
+ * An expression for which the value of the expression as a whole is discarded. Only cases
+ * of discarded values at the language level (as described by the JLS) are considered;
+ * data flow, for example to determine if an assigned variable value is ever read, is not
+ * considered. Such expressions can for example appear as part of an `ExprStmt` or as
+ * initializer of a `for` loop.
  *
- * Not to be confused with `ExprStmt`; while the child of an `ExprStmt` is always
- * a `StmtExpr`, the opposite is not true. A `StmtExpr` occurs for example also
- * as 'init' of a `for` statement.
+ * For example, for the statement `i++;` the value of the increment expression, that is the
+ * old value of variable `i`, is discarded. Whereas for the statement `println(i++);` the
+ * value of the increment expression is not discarded but used as argument for the method call.
  */
-class StmtExpr extends Expr {
-  StmtExpr() {
-    this = any(ExprStmt s).getExpr()
-    or
-    this = any(ForStmt s).getAnInit() and not this instanceof LocalVariableDeclExpr
-    or
-    this = any(ForStmt s).getAnUpdate()
-    or
-    // Only applies to SwitchStmt, but not to SwitchExpr, see JLS 17 section 14.11.2
-    this = any(SwitchStmt s).getACase().getRuleExpression()
-    or
-    // TODO: Workarounds for https://github.com/github/codeql/issues/3605
-    exists(LambdaExpr lambda |
-      this = lambda.getExprBody() and
-      lambda.asMethod().getReturnType() instanceof VoidType
-    )
-    or
-    exists(MemberRefExpr memberRef, Method implicitMethod, Method overridden |
-      implicitMethod = memberRef.asMethod()
-    |
-      this.getParent().(ReturnStmt).getEnclosingCallable() = implicitMethod and
-      // asMethod() has bogus method with wrong return type as result, e.g. `run(): String` (overriding `Runnable.run(): void`)
-      // Therefore need to check the overridden method
-      implicitMethod.getSourceDeclaration().overridesOrInstantiates*(overridden) and
-      overridden.getReturnType() instanceof VoidType
-    )
+class ValueDiscardingExpr extends Expr {
+  ValueDiscardingExpr() {
+    (
+      this = any(ExprStmt s).getExpr()
+      or
+      this = any(ForStmt s).getAnInit() and not this instanceof LocalVariableDeclExpr
+      or
+      this = any(ForStmt s).getAnUpdate()
+      or
+      // Only applies to SwitchStmt, but not to SwitchExpr, see JLS 17 section 14.11.2
+      this = any(SwitchStmt s).getACase().getRuleExpression()
+      or
+      // TODO: Workarounds for https://github.com/github/codeql/issues/3605
+      exists(LambdaExpr lambda |
+        this = lambda.getExprBody() and
+        lambda.asMethod().getReturnType() instanceof VoidType
+      )
+      or
+      exists(MemberRefExpr memberRef, Method implicitMethod, Method overridden |
+        implicitMethod = memberRef.asMethod()
+      |
+        this.getParent().(ReturnStmt).getEnclosingCallable() = implicitMethod and
+        // asMethod() has bogus method with wrong return type as result, e.g. `run(): String` (overriding `Runnable.run(): void`)
+        // Therefore need to check the overridden method
+        implicitMethod.getSourceDeclaration().overridesOrInstantiates*(overridden) and
+        overridden.getReturnType() instanceof VoidType
+      )
+    ) and
+    // Ignore if this expression is a method call with `void` as return type
+    not getType() instanceof VoidType
   }
 }
diff --git a/java/ql/lib/semmle/code/java/Maps.qll b/java/ql/lib/semmle/code/java/Maps.qll
@@ -53,7 +53,7 @@ class MapMutation extends MethodAccess {
   MapMutation() { this.getMethod() instanceof MapMutator }
 
   /** Holds if the result of this call is not immediately discarded. */
-  predicate resultIsChecked() { not this instanceof StmtExpr }
+  predicate resultIsChecked() { not this instanceof ValueDiscardingExpr }
 }
 
 /** A method that queries the contents of the map it belongs to without mutating it. */
diff --git a/java/ql/src/Likely Bugs/Statements/ReturnValueIgnored.ql b/java/ql/src/Likely Bugs/Statements/ReturnValueIgnored.ql
@@ -18,7 +18,7 @@ import Chaining
 
 predicate checkedMethodCall(MethodAccess ma) {
   relevantMethodCall(ma, _) and
-  not ma instanceof StmtExpr
+  not ma instanceof ValueDiscardingExpr
 }
 
 /**
diff --git a/java/ql/src/Violations of Best Practice/Exception Handling/IgnoreExceptionalReturn.ql b/java/ql/src/Violations of Best Practice/Exception Handling/IgnoreExceptionalReturn.ql
@@ -45,7 +45,7 @@ predicate unboundedQueue(RefType t) {
 
 from MethodAccess ma, SpecialMethod m
 where
-  ma instanceof StmtExpr and
+  ma instanceof ValueDiscardingExpr and
   m = ma.getMethod() and
   (
     m.isMethod("java.util", "Queue", "offer", 1) and not unboundedQueue(m.getDeclaringType())
diff --git a/java/ql/src/experimental/Security/CWE/CWE-297/IgnoredHostnameVerification.ql b/java/ql/src/experimental/Security/CWE/CWE-297/IgnoredHostnameVerification.ql
@@ -21,7 +21,7 @@ private class HostnameVerificationCall extends MethodAccess {
   }
 
   /** Holds if the result of the call is not used. */
-  predicate isIgnored() { this instanceof StmtExpr }
+  predicate isIgnored() { this instanceof ValueDiscardingExpr }
 }
 
 from HostnameVerificationCall verification
diff --git a/java/ql/test/library-tests/StmtExpr/StmtExpr.expected b/java/ql/test/library-tests/StmtExpr/StmtExpr.expected
diff --git a/java/ql/test/library-tests/StmtExpr/StmtExpr.java b/java/ql/test/library-tests/StmtExpr/StmtExpr.java
diff --git a/java/ql/test/library-tests/StmtExpr/StmtExpr.ql b/java/ql/test/library-tests/StmtExpr/StmtExpr.ql
diff --git a/java/ql/test/library-tests/ValueDiscardingExpr/ValueDiscardingExpr.expected b/java/ql/test/library-tests/ValueDiscardingExpr/ValueDiscardingExpr.expected
@@ -0,0 +1,16 @@
+| ValueDiscardingExpr.java:9:9:9:18 | toString(...) |
+| ValueDiscardingExpr.java:18:9:18:13 | ...=... |
+| ValueDiscardingExpr.java:19:9:19:11 | ...++ |
+| ValueDiscardingExpr.java:20:9:20:11 | ++... |
+| ValueDiscardingExpr.java:21:9:21:11 | ...-- |
+| ValueDiscardingExpr.java:22:9:22:11 | --... |
+| ValueDiscardingExpr.java:24:9:24:20 | new Object(...) |
+| ValueDiscardingExpr.java:27:9:27:28 | clone(...) |
+| ValueDiscardingExpr.java:30:14:30:38 | append(...) |
+| ValueDiscardingExpr.java:35:17:35:43 | append(...) |
+| ValueDiscardingExpr.java:55:24:55:33 | toString(...) |
+| ValueDiscardingExpr.java:74:29:74:38 | toString(...) |
+| ValueDiscardingExpr.java:76:13:76:22 | toString(...) |
+| ValueDiscardingExpr.java:90:23:90:35 | new StmtExpr(...) |
+| ValueDiscardingExpr.java:91:23:91:36 | toString(...) |
+| ValueDiscardingExpr.java:95:25:95:37 | new String[] |
diff --git a/java/ql/test/library-tests/ValueDiscardingExpr/ValueDiscardingExpr.java b/java/ql/test/library-tests/ValueDiscardingExpr/ValueDiscardingExpr.java
@@ -0,0 +1,100 @@
+package StmtExpr;
+
+import java.util.function.IntConsumer;
+import java.util.function.IntFunction;
+import java.util.function.Supplier;
+
+class StmtExpr {
+    void test() {
+        toString();
+
+        // Method call with `void` return type is not a ValueDiscardingExpr
+        System.out.println("test");
+
+        // LocalVariableDeclarationStatement with init is not a ValueDiscardingExpr
+        String s = toString();
+
+        int i;
+        i = 0;
+        i++;
+        ++i;
+        i--;
+        --i;
+
+        new Object();
+        // Language specification does not permit ArrayCreationExpression at locations where its
+        // value would be discard, but the value of a method access on it can be discarded
+        new int[] {}.clone();
+
+        // for statement init can discard value
+        for (System.out.append("init");;) {
+            break;
+        }
+
+        // for statement update discards value
+        for (;; System.out.append("update")) {
+            break;
+        }
+
+        // Method call with `void` return type is not a ValueDiscardingExpr
+        for (;; System.out.println("update")) {
+            break;
+        }
+
+        // variable declaration and condition are not ValueDiscardingExpr
+        for (int i1 = 0; i1 < 10;) { }
+        for (int i1, i2 = 0; i2 < 10;) { }
+        for (;;) {
+            break;
+        }
+
+        // Not a ValueDiscardingExpr
+        for (int i2 : new int[] {1}) { }
+
+        switch(1) {
+            default -> toString(); // ValueDiscardingExpr
+        }
+
+        switch(1) {
+            // Method call with `void` return type is not a ValueDiscardingExpr
+            default -> System.out.println();
+        }
+
+        String s2 = switch(1) {
+            // Expression in SwitchExpression case rule is not a ValueDiscardingExpr
+            default -> toString();
+        };
+
+        // Expression in lambda with non-void return type is not a ValueDiscardingExpr
+        Supplier<Object> supplier1 = () -> toString();
+        Supplier<Object> supplier2 = () -> {
+            return toString();
+        };
+        // Expression in lambda with void return type is ValueDiscardingExpr
+        Runnable r1 = () -> toString();
+        Runnable r2 = () -> {
+            toString();
+        };
+        // Lambda with method call with `void` return type is not a ValueDiscardingExpr
+        Runnable r3 = () -> System.out.println();
+        Runnable r4 = () -> {
+            System.out.println();
+        };
+
+        // Method reference with non-void return type has no ValueDiscardingExpr
+        Supplier<Object> supplier3 = StmtExpr::new;
+        IntFunction<Object> f = String[]::new;
+        Supplier<Object> supplier4 = this::toString;
+
+        // Method reference with void return type has ValueDiscardingExpr in implicit method body
+        Runnable r5 = StmtExpr::new;
+        Runnable r6 = this::toString;
+        // Interestingly a method reference expression with function type (int)->void allows usage of
+        // array creation expressions, even though a regular StatementExpression would not allow it,
+        // for example the ExpressionStatement `new String[1];` is not allowed by the JLS
+        IntConsumer c = String[]::new;
+
+        // Method reference referring to method with `void` return type is not a ValueDiscardingExpr
+        Runnable r7 = System.out::println;
+    }
+}
diff --git a/java/ql/test/library-tests/ValueDiscardingExpr/ValueDiscardingExpr.ql b/java/ql/test/library-tests/ValueDiscardingExpr/ValueDiscardingExpr.ql
@@ -0,0 +1,4 @@
+import java
+
+from ValueDiscardingExpr e
+select e
diff --git a/java/ql/test/library-tests/ValueDiscardingExpr/options b/java/ql/test/library-tests/ValueDiscardingExpr/options

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: feature
 +---
 +* The QL class `ValueDiscardingExpr` has been added, representing expressions for which the value of the expression as a whole is discarded.
Original file line number	Diff line number	Diff line change
`@@ -84,7 +84,7 @@ class CollectionMutation extends MethodAccess {`
`84`	`84`	`CollectionMutation() { this.getMethod() instanceof CollectionMutator }`
`85`	`85`
`86`	`86`	`/** Holds if the result of this call is not immediately discarded. */`
`87`		`- predicate resultIsChecked() { not this instanceof StmtExpr }`
	`87`	`+ predicate resultIsChecked() { not this instanceof ValueDiscardingExpr }`
`88`	`88`	`}`
`89`	`89`
`90`	`90`	`/** A method that queries the contents of a collection without mutating it. */`
Original file line number	Diff line number	Diff line change
`@@ -53,7 +53,7 @@ class MapMutation extends MethodAccess {`
`53`	`53`	`MapMutation() { this.getMethod() instanceof MapMutator }`
`54`	`54`
`55`	`55`	`/** Holds if the result of this call is not immediately discarded. */`
`56`		`- predicate resultIsChecked() { not this instanceof StmtExpr }`
	`56`	`+ predicate resultIsChecked() { not this instanceof ValueDiscardingExpr }`
`57`	`57`	`}`
`58`	`58`
`59`	`59`	`/** A method that queries the contents of the map it belongs to without mutating it. */`
Original file line number	Diff line number	Diff line change
`@@ -18,7 +18,7 @@ import Chaining`
`18`	`18`
`19`	`19`	`predicate checkedMethodCall(MethodAccess ma) {`
`20`	`20`	`relevantMethodCall(ma, _) and`
`21`		`- not ma instanceof StmtExpr`
	`21`	`+ not ma instanceof ValueDiscardingExpr`
`22`	`22`	`}`
`23`	`23`
`24`	`24`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -45,7 +45,7 @@ predicate unboundedQueue(RefType t) {`
`45`	`45`
`46`	`46`	`from MethodAccess ma, SpecialMethod m`
`47`	`47`	`where`
`48`		`- ma instanceof StmtExpr and`
	`48`	`+ ma instanceof ValueDiscardingExpr and`
`49`	`49`	`m = ma.getMethod() and`
`50`	`50`	`(`
`51`	`51`	`m.isMethod("java.util", "Queue", "offer", 1) and not unboundedQueue(m.getDeclaringType())`
Original file line number	Diff line number	Diff line change
`@@ -21,7 +21,7 @@ private class HostnameVerificationCall extends MethodAccess {`
`21`	`21`	`}`
`22`	`22`
`23`	`23`	`/** Holds if the result of the call is not used. */`
`24`		`- predicate isIgnored() { this instanceof StmtExpr }`
	`24`	`+ predicate isIgnored() { this instanceof ValueDiscardingExpr }`
`25`	`25`	`}`
`26`	`26`
`27`	`27`	`from HostnameVerificationCall verification`