java: understand more initializers

Whne a fiels is assigned a safe type in a constructor,
that field is not exposed.

Author: yoff

java/ql/lib/semmle/code/java/ConflictingAccess.qll

@@ -63,12 +63,23 @@ class ExposedField extends Field {
     not this.getType() instanceof LockType and
     // field is not thread-safe
     not isThreadSafeType(this.getType()) and
-    not isThreadSafeType(this.getInitializer().getType()) and
+    not isThreadSafeType(initialValue(this).getType()) and
     // the initializer guarantees thread safety
-    not isThreadSafeInitializer(this.getInitializer())
+    not isThreadSafeInitializer(initialValue(this))
   }
 }
 
+/**
+ * Gets the initial value for the field `f`.
+ * This is either a static initializer or an assignment in a constructor.
+ */
+Expr initialValue(Field f) {
+  result = f.getInitializer()
+  or
+  result = f.getAnAssignedValue() and
+  result.getEnclosingCallable() = f.getDeclaringType().getAConstructor()
+}
+
 /**
  * A field access that is exposed to potential data races.
  * We require the field to be in a class that is annotated as `@ThreadSafe`.

java/ql/test/query-tests/ThreadSafe/ThreadSafe.expected

@@ -43,7 +43,4 @@
 | examples/Test.java:60:5:60:10 | this.y | This field access (publicly accessible via $@) is not protected by any monitor, but the class is annotated as @ThreadSafe. | examples/Test.java:60:5:60:10 | this.y | this expression |
 | examples/Test.java:74:5:74:10 | this.y | This field access (publicly accessible via $@) is not protected by any monitor, but the class is annotated as @ThreadSafe. | examples/Test.java:74:5:74:10 | this.y | this expression |
 | examples/Test.java:74:14:74:14 | y | This field access (publicly accessible via $@) is not protected by any monitor, but the class is annotated as @ThreadSafe. | examples/Test.java:74:14:74:14 | y | this expression |
-| examples/ThreadSafeInitializers.java:29:9:29:16 | sync_map | This field access (publicly accessible via $@) is not protected by any monitor, but the class is annotated as @ThreadSafe. | examples/ThreadSafeInitializers.java:29:9:29:16 | sync_map | this expression |
-| examples/ThreadSafeInitializers.java:37:9:37:12 | cmap | This field access (publicly accessible via $@) is not protected by any monitor, but the class is annotated as @ThreadSafe. | examples/ThreadSafeInitializers.java:37:9:37:12 | cmap | this expression |
 | examples/ThreadSafeInitializers.java:45:9:45:14 | this.y | This field access (publicly accessible via $@) is not protected by any monitor, but the class is annotated as @ThreadSafe. | examples/ThreadSafeInitializers.java:45:9:45:14 | this.y | this expression |
-| examples/ThreadSafeInitializers.java:49:9:49:11 | set | This field access (publicly accessible via $@) is not protected by any monitor, but the class is annotated as @ThreadSafe. | examples/ThreadSafeInitializers.java:49:9:49:11 | set | this expression |

java/ql/test/query-tests/ThreadSafe/examples/ThreadSafeInitializers.java

@@ -26,15 +26,15 @@ public ThreadSafeInitializers() {
     }
 
     public void sync_map_put(Integer i, Integer v) {
-        sync_map.put(i,v); // $ SPURIOUS: Alert
+        sync_map.put(i,v);
     }
 
     public void sync_map_initialised_put(Integer i, Integer v) {
         sync_map_initialised.put(i,v);
     }
 
     public void cmap_put(String s1, String s2) {
-        cmap.put(s1, s2); // $ SPURIOUS: Alert
+        cmap.put(s1, s2);
     }
 
     public void cmap_initialised_put(String s1, String s2) {
@@ -46,7 +46,7 @@ public void setY(int y) {
     }
 
     public void set_add(Integer i) {
-        set.add(i); // $ SPURIOUS: Alert
+        set.add(i);
     }
 
     public void set_initialised_add(Integer i) {