Fix null dereference false positive

2026-04-24 08:15:14 +02:00 · 2023-12-21 09:11:06 +01:00
parent a354ca3264
commit 91637d49d4
2 changed files with 42 additions and 5 deletions
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/Nullness.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/Nullness.qll
@@ -163,7 +163,48 @@ private predicate isMaybeNullArgument(Ssa::ExplicitDefinition def, MaybeNullExpr
  |
    p = pdef.getParameter().getUnboundDeclaration() and
    arg = p.getAnAssignedArgument() and
-    not arg.getEnclosingCallable().getEnclosingCallable*() instanceof TestMethod
+    not arg.getEnclosingCallable().getEnclosingCallable*() instanceof TestMethod and
+    (
+      p.isParams()
+      implies
+      (
+        isValidExplicitParamsType(p, arg.getType()) and
+        not exists(Call c | c.getAnArgument() = arg and hasMultipleParamsArguments(c))
+      )
+    )
+  )
+}
+
+/**
+ * Holds if the type `t` is a valid argument type for passing an explicit array
+ * to the `params` parameter `p`. For example, the types `object[]` and `string[]`
+ * of the arguments on lines 4 and 5, respectively, are valid for the parameter
+ * `args` on line 1 in
+ *
+ * ```csharp
+ * void M(params object[] args) { ... }
+ *
+ * void CallM(object[] os, string[] ss, string s) {
+ *   M(os);
+ *   M(ss);
+ *   M(s);
+ * }
+ * ```
+ */
+pragma[nomagic]
+private predicate isValidExplicitParamsType(Parameter p, Type t) {
+  p.isParams() and
+  t.isImplicitlyConvertibleTo(p.getType())
+}
+
+/**
+ * Holds if call `c` has multiple arguments for a `params` parameter
+ * of the targeted callable.
+ */
+private predicate hasMultipleParamsArguments(Call c) {
+  exists(Parameter p | p = c.getTarget().getAParameter() |
+    p.isParams() and
+    exists(c.getArgument(any(int i | i > p.getPosition())))
  )
 }

--- a/csharp/ql/test/query-tests/Nullness/NullMaybe.expected
+++ b/csharp/ql/test/query-tests/Nullness/NullMaybe.expected
@@ -443,9 +443,7 @@ nodes
 | NullAlwaysBad.cs:9:30:9:30 | access to parameter s |
 | NullMaybeBad.cs:7:27:7:27 | access to parameter o |
 | NullMaybeBad.cs:13:17:13:20 | null |
-| Params.cs:9:17:9:20 | access to parameter args |
 | Params.cs:14:17:14:20 | access to parameter args |
-| Params.cs:19:27:19:30 | null |
 | Params.cs:20:12:20:15 | null |
 | StringConcatenation.cs:14:16:14:23 | SSA def(s) |
 | StringConcatenation.cs:15:16:15:16 | access to local variable s |
@@ -835,7 +833,6 @@ edges
 | GuardedString.cs:34:26:34:26 | 0 | GuardedString.cs:35:31:35:31 | access to local variable s |
 | NullAlwaysBad.cs:7:29:7:29 | SSA param(s) | NullAlwaysBad.cs:9:30:9:30 | access to parameter s |
 | NullMaybeBad.cs:13:17:13:20 | null | NullMaybeBad.cs:7:27:7:27 | access to parameter o |
-| Params.cs:19:27:19:30 | null | Params.cs:9:17:9:20 | access to parameter args |
 | Params.cs:20:12:20:15 | null | Params.cs:14:17:14:20 | access to parameter args |
 | StringConcatenation.cs:14:16:14:23 | SSA def(s) | StringConcatenation.cs:15:16:15:16 | access to local variable s |
 | StringConcatenation.cs:15:16:15:16 | access to local variable s | StringConcatenation.cs:16:17:16:17 | access to local variable s |
@@ -924,6 +921,5 @@ edges
 | E.cs:417:34:417:34 | access to parameter i | E.cs:417:24:417:40 | SSA capture def(i) | E.cs:417:34:417:34 | access to parameter i | Variable $@ may be null at this access because it has a nullable type. | E.cs:415:27:415:27 | i | i | E.cs:415:27:415:27 | i | this |
 | GuardedString.cs:35:31:35:31 | access to local variable s | GuardedString.cs:7:16:7:32 | SSA def(s) | GuardedString.cs:35:31:35:31 | access to local variable s | Variable $@ may be null at this access because of $@ assignment. | GuardedString.cs:7:16:7:16 | s | s | GuardedString.cs:7:16:7:32 | String s = ... | this |
 | NullMaybeBad.cs:7:27:7:27 | access to parameter o | NullMaybeBad.cs:13:17:13:20 | null | NullMaybeBad.cs:7:27:7:27 | access to parameter o | Variable $@ may be null at this access because of $@ null argument. | NullMaybeBad.cs:5:25:5:25 | o | o | NullMaybeBad.cs:13:17:13:20 | null | this |
-| Params.cs:9:17:9:20 | access to parameter args | Params.cs:19:27:19:30 | null | Params.cs:9:17:9:20 | access to parameter args | Variable $@ may be null at this access because of $@ null argument. | Params.cs:7:36:7:39 | args | args | Params.cs:19:27:19:30 | null | this |
 | Params.cs:14:17:14:20 | access to parameter args | Params.cs:20:12:20:15 | null | Params.cs:14:17:14:20 | access to parameter args | Variable $@ may be null at this access because of $@ null argument. | Params.cs:12:36:12:39 | args | args | Params.cs:20:12:20:15 | null | this |
 | StringConcatenation.cs:16:17:16:17 | access to local variable s | StringConcatenation.cs:14:16:14:23 | SSA def(s) | StringConcatenation.cs:16:17:16:17 | access to local variable s | Variable $@ may be null at this access because of $@ assignment. | StringConcatenation.cs:14:16:14:16 | s | s | StringConcatenation.cs:14:16:14:23 | String s = ... | this |