Remove ObjectType parameter checks from System.qll methods

Removes instanceof ObjectType checks from method signatures in System.qll to support nullable reference types (object?). This fixes false positives when Equals(object?) is used instead of Equals(object), as they are the same underlying type with different nullability annotations. Fixes: - SystemIComparableInterface.getCompareToMethod() - SystemObjectClass.getEqualsMethod() - SystemObjectClass.getStaticEqualsMethod() - SystemObjectClass.getReferenceEqualsMethod() Co-authored-by: hvitved <3667920+hvitved@users.noreply.github.com>
2026-05-14 11:19:27 +02:00 · 2026-02-16 10:34:49 +00:00
parent c20b948b3f
commit fdbc72a673
2 changed files with 46 additions and 6 deletions
--- a/csharp/ql/lib/semmle/code/csharp/frameworks/System.qll
+++ b/csharp/ql/lib/semmle/code/csharp/frameworks/System.qll
@@ -144,7 +144,6 @@ class SystemIComparableInterface extends SystemInterface {
    result.getDeclaringType() = this and
    result.hasName("CompareTo") and
    result.getNumberOfParameters() = 1 and
-    result.getParameter(0).getType() instanceof ObjectType and
    result.getReturnType() instanceof IntType
  }
 }
@@ -263,7 +262,6 @@ class SystemObjectClass extends SystemClass instanceof ObjectType {
    result.getDeclaringType() = this and
    result.hasName("Equals") and
    result.getNumberOfParameters() = 1 and
-    result.getParameter(0).getType() instanceof ObjectType and
    result.getReturnType() instanceof BoolType
  }

@@ -273,8 +271,6 @@ class SystemObjectClass extends SystemClass instanceof ObjectType {
    result.getDeclaringType() = this and
    result.hasName("Equals") and
    result.getNumberOfParameters() = 2 and
-    result.getParameter(0).getType() instanceof ObjectType and
-    result.getParameter(1).getType() instanceof ObjectType and
    result.getReturnType() instanceof BoolType
  }

@@ -284,8 +280,6 @@ class SystemObjectClass extends SystemClass instanceof ObjectType {
    result.getDeclaringType() = this and
    result.hasName("ReferenceEquals") and
    result.getNumberOfParameters() = 2 and
-    result.getParameter(0).getType() instanceof ObjectType and
-    result.getParameter(1).getType() instanceof ObjectType and
    result.getReturnType() instanceof BoolType
  }

--- a/Abuse/ClassDoesNotImplementEquals/NullableTest.cs
+++ b/Abuse/ClassDoesNotImplementEquals/NullableTest.cs
@@ -0,0 +1,46 @@
+using System;
+
+#nullable enable
+
+namespace Test
+{
+    class TestClass1 : IEquatable<TestClass1>
+    {
+        private int field1;
+
+        public bool Equals(TestClass1? param1)
+        {
+            return param1 != null && field1 == param1.field1;
+        }
+
+        public override bool Equals(object? param2)
+        {
+            return param2 is TestClass1 tc && Equals(tc);
+        }
+
+        public override int GetHashCode()
+        {
+            return field1;
+        }
+    }
+
+    class TestClass2
+    {
+        private string field2;
+
+        public TestClass2(string s)
+        {
+            field2 = s;
+        }
+
+        public override bool Equals(object? param3)
+        {
+            return param3 is TestClass2 tc && field2 == tc.field2;
+        }
+
+        public override int GetHashCode()
+        {
+            return field2?.GetHashCode() ?? 0;
+        }
+    }
+}