More precise Nullness tracking by taking correlated instanceof expressions into account.

Fixes #2238.
2026-04-28 10:15:14 +02:00 · 2019-11-21 18:37:44 +01:00
parent d8aae1c126
commit 3e5324e772
3 changed files with 13 additions and 2 deletions
--- a/java/ql/src/semmle/code/java/dataflow/NullGuards.qll
+++ b/java/ql/src/semmle/code/java/dataflow/NullGuards.qll
@@ -24,6 +24,12 @@ Expr enumConstEquality(Expr e, boolean polarity, EnumConstant c) {
  )
 }

+/** Gets an instanceof expression of `v` with type `type` */
+InstanceOfExpr instanceofExpr(SsaVariable v, Expr type) {
+  result.getTypeName() = type and
+  result.getExpr() = v.getAUse()
+}
+
 /** Gets an expression that is provably not `null`. */
 Expr clearlyNotNullExpr(Expr reason) {
  result instanceof ClassInstanceExpr and reason = result
--- a/java/ql/src/semmle/code/java/dataflow/Nullness.qll
+++ b/java/ql/src/semmle/code/java/dataflow/Nullness.qll
@@ -515,6 +515,13 @@ private predicate correlatedConditions(
      cond2.getCondition() = enumConstEquality(v.getAUse(), pol2, c) and
      inverted = pol1.booleanXor(pol2)
    )
+    or
+    exists(SsaVariable v, Expr t1, Expr t2 |
+      cond1.getCondition() = instanceofExpr(v, t1) and
+      cond2.getCondition() = instanceofExpr(v, t2) and
+      t1.getType() = t2.getType() and
+      inverted = false
+    )
  )
 }

--- a/java/ql/test/query-tests/Nullness/NullMaybe.expected
+++ b/java/ql/test/query-tests/Nullness/NullMaybe.expected
@@ -17,8 +17,6 @@
 | B.java:190:7:190:7 | o | Variable $@ may be null here because of $@ assignment. | B.java:178:5:178:20 | Object o | o | B.java:186:5:186:12 | ...=... | this |
 | B.java:279:7:279:7 | a | Variable $@ may be null here because of $@ assignment. | B.java:276:5:276:19 | int[] a | a | B.java:276:11:276:18 | a | this |
 | B.java:292:7:292:7 | b | Variable $@ may be null here because of $@ assignment. | B.java:287:5:287:44 | int[] b | b | B.java:287:11:287:43 | b | this |
-| B.java:334:7:334:7 | x | Variable $@ may be null here because of $@ assignment. | B.java:329:5:329:20 | Object x | x | B.java:329:12:329:19 | x | this |
-| B.java:344:7:344:7 | x | Variable $@ may be null here because of $@ assignment. | B.java:339:5:339:20 | Object x | x | B.java:339:12:339:19 | x | this |
 | C.java:9:44:9:45 | a2 | Variable $@ may be null here as suggested by $@ null guard. | C.java:6:5:6:23 | long[][] a2 | a2 | C.java:7:34:7:54 | ... != ... | this |
 | C.java:9:44:9:45 | a2 | Variable $@ may be null here because of $@ assignment. | C.java:6:5:6:23 | long[][] a2 | a2 | C.java:6:14:6:22 | a2 | this |
 | C.java:10:17:10:18 | a3 | Variable $@ may be null here as suggested by $@ null guard. | C.java:8:5:8:21 | long[] a3 | a3 | C.java:9:38:9:58 | ... != ... | this |