Java/Cfg: Introduce new shared CFG library and replace the Java CFG.

java/ql/lib/semmle/code/java/ControlFlowGraph.qll

@@ -162,12 +162,6 @@ module ControlFlow {
     /** Gets the expression this `Node` corresponds to, if any. */
     Expr asExpr() { this = TExprNode(result) }
 
-    /** Gets the call this `Node` corresponds to, if any. */
-    Call asCall() {
-      result = this.asExpr() or
-      result = this.asStmt()
-    }
-
     /** Gets a textual representation of this element. */
     string toString() { none() }
 

java/ql/lib/semmle/code/java/Expr.qll

@@ -1245,6 +1245,9 @@ class ClassInstanceExpr extends Expr, ConstructorCall, @classinstancexpr {
   /** Gets the immediately enclosing statement of this class instance creation expression. */
   override Stmt getEnclosingStmt() { result = Expr.super.getEnclosingStmt() }
 
+  /** Gets the `ControlFlowNode` corresponding to this call. */
+  override ControlFlowNode getControlFlowNode() { result = Expr.super.getControlFlowNode() }
+
   /** Gets a printable representation of this expression. */
   override string toString() {
     result = "new " + this.getConstructor().getName() + "(...)"
@@ -2113,6 +2116,9 @@ class MethodCall extends Expr, Call, @methodaccess {
   /** Gets the immediately enclosing statement that contains this method access. */
   override Stmt getEnclosingStmt() { result = Expr.super.getEnclosingStmt() }
 
+  /** Gets the `ControlFlowNode` corresponding to this call. */
+  override ControlFlowNode getControlFlowNode() { result = Expr.super.getControlFlowNode() }
+
   /** Gets a printable representation of this expression. */
   override string toString() {
     if exists(this.getMethod())
@@ -2305,6 +2311,9 @@ class Call extends ExprParent, @caller {
   /** Gets the enclosing statement of this call. */
   /*abstract*/ Stmt getEnclosingStmt() { none() }
 
+  /** Gets the `ControlFlowNode` corresponding to this call. */
+  /*abstract*/ ControlFlowNode getControlFlowNode() { none() }
+
   /** Gets the number of arguments provided in this call. */
   int getNumArgument() { count(this.getAnArgument()) = result }
 

java/ql/lib/semmle/code/java/Statement.qll

@@ -61,7 +61,7 @@ class Stmt extends StmtParent, ExprParent, @stmt {
 }
 
 /** A statement parent is any element that can have a statement as its child. */
-class StmtParent extends @stmtparent, Top { }
+class StmtParent extends @stmtparent, ExprParent { }
 
 /**
  * An error statement.
@@ -960,6 +960,9 @@ class ThisConstructorInvocationStmt extends Stmt, ConstructorCall, @constructori
   /** Gets the immediately enclosing statement of this constructor invocation. */
   override Stmt getEnclosingStmt() { result = this }
 
+  /** Gets the `ControlFlowNode` corresponding to this call. */
+  override ControlFlowNode getControlFlowNode() { result = Stmt.super.getControlFlowNode() }
+
   override string pp() { result = "this(...)" }
 
   override string toString() { result = "this(...)" }
@@ -1001,6 +1004,9 @@ class SuperConstructorInvocationStmt extends Stmt, ConstructorCall, @superconstr
   /** Gets the immediately enclosing statement of this constructor invocation. */
   override Stmt getEnclosingStmt() { result = this }
 
+  /** Gets the `ControlFlowNode` corresponding to this call. */
+  override ControlFlowNode getControlFlowNode() { result = Stmt.super.getControlFlowNode() }
+
   override string pp() { result = "super(...)" }
 
   override string toString() { result = "super(...)" }

java/ql/lib/semmle/code/java/controlflow/Paths.qll

@@ -34,7 +34,7 @@ abstract class ActionConfiguration extends string {
 private BasicBlock actionBlock(ActionConfiguration conf) {
   exists(ControlFlowNode node | result = node.getBasicBlock() |
     conf.isAction(node) or
-    callAlwaysPerformsAction(node.asCall(), conf)
+    callAlwaysPerformsAction(any(Call call | call.getControlFlowNode() = node), conf)
   )
 }
 

java/ql/lib/semmle/code/java/dataflow/InstanceAccess.qll

@@ -229,7 +229,7 @@ class InstanceAccessExt extends TInstanceAccessExt {
   /** Gets the control flow node associated with this instance access. */
   ControlFlowNode getCfgNode() {
     exists(ExprParent e | e = this.getAssociatedExprOrStmt() |
-      result.asCall() = e
+      result = e.(Call).getControlFlowNode()
       or
       e.(InstanceAccess).getControlFlowNode() = result
       or

java/ql/lib/semmle/code/java/dataflow/internal/BaseSSA.qll

@@ -132,7 +132,7 @@ private module BaseSsaImpl {
       inner != outer and
       inner.getDeclaringType() = innerclass and
       result = parentDef(desugaredGetEnclosingType*(innerclass)) and
-      result.getEnclosingStmt().getEnclosingCallable() = outer and
+      result.getEnclosingCallable() = outer and
       capturedvar = TLocalVar(outer, v) and
       closurevar = TLocalVar(inner, v)
     )

java/ql/lib/semmle/code/java/dataflow/internal/SsaImpl.qll

@@ -115,7 +115,7 @@ private ControlFlowNode captureNode(TrackedVar capturedvar, TrackedVar closureva
     inner != outer and
     inner.getDeclaringType() = innerclass and
     result = parentDef(desugaredGetEnclosingType*(innerclass)) and
-    result.getEnclosingStmt().getEnclosingCallable() = outer and
+    result.getEnclosingCallable() = outer and
     capturedvar = TLocalVar(outer, v) and
     closurevar = TLocalVar(inner, v)
   )
@@ -153,7 +153,7 @@ private predicate hasEntryDef(TrackedVar v, BasicBlock b) {
 overlay[global]
 pragma[nomagic]
 private predicate uncertainVariableUpdateImpl(TrackedVar v, ControlFlowNode n, BasicBlock b, int i) {
-  exists(Call c | c = n.asCall() | updatesNamedField(c, v, _)) and
+  exists(Call c | c.getControlFlowNode() = n | updatesNamedField(c, v, _)) and
   b.getNode(i) = n and
   hasDominanceInformation(b)
   or
@@ -525,8 +525,11 @@ private module Cached {
   overlay[global]
   cached
   predicate defUpdatesNamedField(SsaImplicitWrite calldef, TrackedField f, Callable setter) {
-    f = calldef.getSourceVariable() and
-    updatesNamedField0(calldef.getControlFlowNode().asCall(), f, setter)
+    exists(Call call |
+      f = calldef.getSourceVariable() and
+      call.getControlFlowNode() = calldef.getControlFlowNode() and
+      updatesNamedField0(call, f, setter)
+    )
   }
 
   /** Holds if `init` is a closure variable that captures the value of `capturedvar`. */

java/ql/src/experimental/quantum/Examples/ArtifactReuse.qll

@@ -42,7 +42,7 @@ private DataFlow::Node getGeneratingWrapperSet(Crypto::NonceArtifactNode a) {
 }
 
 private predicate ancestorOfArtifact(
-  Crypto::ArtifactNode a, Callable enclosingCallable, ControlFlow::Node midOrTarget
+  Crypto::ArtifactNode a, Callable enclosingCallable, ControlFlowNode midOrTarget
 ) {
   a.asElement().(Expr).getEnclosingCallable() = enclosingCallable and
   (
@@ -87,7 +87,7 @@ predicate isArtifactReuse(Crypto::ArtifactNode a, Crypto::ArtifactNode b) {
       ancestorOfArtifact(b, commonParent, _)
     )
     implies
-    exists(Callable commonParent, ControlFlow::Node aMid, ControlFlow::Node bMid |
+    exists(Callable commonParent, ControlFlowNode aMid, ControlFlowNode bMid |
       ancestorOfArtifact(a, commonParent, aMid) and
       ancestorOfArtifact(b, commonParent, bMid) and
       a instanceof Crypto::NonceArtifactNode and

shared/controlflow/codeql/controlflow/BasicBlock.qll

@@ -177,6 +177,9 @@ module Make<LocationSig Location, InputSig<Location> Input> implements CfgSig<Lo
     /** Gets the CFG scope of this basic block. */
     CfgScope getScope() { result = nodeGetCfgScope(this.getFirstNode()) }
 
+    /** Gets the enclosing callable of this basic block. */
+    CfgScope getEnclosingCallable() { result = nodeGetCfgScope(this.getFirstNode()) }
+
     /** Gets the location of this basic block. */
     Location getLocation() { result = this.getFirstNode().getLocation() }
 

shared/controlflow/codeql/controlflow/SuccessorType.qll

@@ -28,6 +28,38 @@ module;
 
 private import codeql.util.Boolean
 
+private newtype TConditionKind =
+  TBooleanCondition() or
+  TNullnessCondition() or
+  TMatchingCondition() or
+  TEmptinessCondition()
+
+/** A condition kind. This is used to classify different `ConditionalSuccessor`s. */
+class ConditionKind extends TConditionKind {
+  /** Gets a textual representation of this condition kind. */
+  string toString() {
+    this instanceof TBooleanCondition and result = "Boolean"
+    or
+    this instanceof TNullnessCondition and result = "Nullness"
+    or
+    this instanceof TMatchingCondition and result = "Matching"
+    or
+    this instanceof TEmptinessCondition and result = "Emptiness"
+  }
+
+  /** Holds if this condition kind identifies `BooleanSuccessor`s. */
+  predicate isBoolean() { this instanceof TBooleanCondition }
+
+  /** Holds if this condition kind identifies `NullnessSuccessor`s. */
+  predicate isNullness() { this instanceof TNullnessCondition }
+
+  /** Holds if this condition kind identifies `MatchingSuccessor`s. */
+  predicate isMatching() { this instanceof TMatchingCondition }
+
+  /** Holds if this condition kind identifies `EmptinessSuccessor`s. */
+  predicate isEmptiness() { this instanceof TEmptinessCondition }
+}
+
 private newtype TSuccessorType =
   TDirectSuccessor() or
   TBooleanSuccessor(Boolean branch) or
@@ -83,6 +115,18 @@ private class TConditionalSuccessor =
 abstract private class ConditionalSuccessorImpl extends NormalSuccessorImpl, TConditionalSuccessor {
   /** Gets the Boolean value of this successor. */
   abstract boolean getValue();
+
+  /** Gets the condition kind of this conditional successor. */
+  abstract ConditionKind getKind();
+
+  /**
+   * Gets the dual of this conditional successor. That is, the conditional
+   * successor of the same kind but with the opposite value.
+   */
+  ConditionalSuccessor getDual() {
+    this.getValue().booleanNot() = result.getValue() and
+    this.getKind() = result.getKind()
+  }
 }
 
 final class ConditionalSuccessor = ConditionalSuccessorImpl;
@@ -116,6 +160,8 @@ final class ConditionalSuccessor = ConditionalSuccessorImpl;
 class BooleanSuccessor extends ConditionalSuccessorImpl, TBooleanSuccessor {
   override boolean getValue() { this = TBooleanSuccessor(result) }
 
+  override ConditionKind getKind() { result = TBooleanCondition() }
+
   override string toString() { result = this.getValue().toString() }
 }
 
@@ -151,6 +197,8 @@ class NullnessSuccessor extends ConditionalSuccessorImpl, TNullnessSuccessor {
 
   override boolean getValue() { this = TNullnessSuccessor(result) }
 
+  override ConditionKind getKind() { result = TNullnessCondition() }
+
   override string toString() { if this.isNull() then result = "null" else result = "non-null" }
 }
 
@@ -192,6 +240,8 @@ class MatchingSuccessor extends ConditionalSuccessorImpl, TMatchingSuccessor {
 
   override boolean getValue() { this = TMatchingSuccessor(result) }
 
+  override ConditionKind getKind() { result = TMatchingCondition() }
+
   override string toString() { if this.isMatch() then result = "match" else result = "no-match" }
 }
 
@@ -233,6 +283,8 @@ class EmptinessSuccessor extends ConditionalSuccessorImpl, TEmptinessSuccessor {
 
   override boolean getValue() { this = TEmptinessSuccessor(result) }
 
+  override ConditionKind getKind() { result = TEmptinessCondition() }
+
   override string toString() { if this.isEmpty() then result = "empty" else result = "non-empty" }
 }