github · aschackmull · Sep 16, 2025 · Aug 14, 2025 · Aug 15, 2025 · Sep 2, 2025
@@ -82,6 +82,7 @@ module;
  */
 
 import java
+private import codeql.controlflow.SuccessorType
 private import codeql.util.Boolean
 private import Completion
 private import controlflow.internal.Preconditions
@@ -124,6 +125,28 @@ module ControlFlow {
       result = succ(this, NormalCompletion())
     }
 
+    /** Gets an immediate successor of this node of a given type, if any. */
+    Node getASuccessor(SuccessorType t) {
+      result = branchSuccessor(this, t.(BooleanSuccessor).getValue())
+      or
+      exists(Completion completion |
+        result = succ(this, completion) and
+        not result = branchSuccessor(this, _)
+      |
+        completion = NormalCompletion() and t instanceof DirectSuccessor
+        or
+        completion = ReturnCompletion() and t instanceof ReturnSuccessor
+        or
+        completion = BreakCompletion(_) and t instanceof BreakSuccessor
+        or
+        completion = YieldCompletion(_) and t instanceof BreakSuccessor
+        or
+        completion = ContinueCompletion(_) and t instanceof ContinueSuccessor
+        or
+        completion = ThrowCompletion(_) and t instanceof ExceptionSuccessor
+      )
+    }
+
     /** Gets the basic block that contains this node. */
     BasicBlock getBasicBlock() { result.getANode() = this }
 

@@ -22,20 +22,8 @@ private module Input implements BB::InputSig<Location> {
   /** Gets the CFG scope in which this node occurs. */
   CfgScope nodeGetCfgScope(Node node) { node.getEnclosingCallable() = result }
 
-  private Node getASpecificSuccessor(Node node, SuccessorType t) {
-    node.(ConditionNode).getABranchSuccessor(t.(BooleanSuccessor).getValue()) = result
-    or
-    node.getAnExceptionSuccessor() = result and t instanceof ExceptionSuccessor
-  }
-
   /** Gets an immediate successor of this node. */
-  Node nodeGetASuccessor(Node node, SuccessorType t) {
-    result = getASpecificSuccessor(node, t)
-    or
-    node.getASuccessor() = result and
-    t instanceof DirectSuccessor and
-    not result = getASpecificSuccessor(node, _)
-  }
+  Node nodeGetASuccessor(Node node, SuccessorType t) { result = node.getASuccessor(t) }
 
   /**
    * Holds if `node` represents an entry node to be used when calculating

@@ -0,0 +1,60 @@
+/**
+ * Provides an implementation of local (intraprocedural) control flow reachability.
+ */
+overlay[local?]
+module;
+
+import java
+private import codeql.controlflow.ControlFlow
+private import semmle.code.java.dataflow.SSA as SSA
+private import semmle.code.java.controlflow.Guards as Guards
+
+private module ControlFlowInput implements InputSig<Location, ControlFlowNode, BasicBlock> {
+  private import java as J
+
+  AstNode getEnclosingAstNode(ControlFlowNode node) { node.getAstNode() = result }
+
+  class AstNode = ExprParent;
+
+  AstNode getParent(AstNode node) {
+    result = node.(Expr).getParent() or
+    result = node.(Stmt).getParent()
+  }
+
+  class FinallyBlock extends AstNode {
+    FinallyBlock() { any(TryStmt try).getFinally() = this }
+  }
+
+  class Expr = J::Expr;
+
+  class SourceVariable = SSA::SsaSourceVariable;
+
+  class SsaDefinition = SSA::SsaVariable;
+
+  class SsaWriteDefinition extends SsaDefinition instanceof SSA::SsaExplicitUpdate {
+    Expr getDefinition() {
+      super.getDefiningExpr().(VariableAssign).getSource() = result or
+      super.getDefiningExpr().(AssignOp) = result
+    }
+  }
+
+  class SsaPhiNode = SSA::SsaPhiNode;
+
+  class SsaUncertainDefinition extends SsaDefinition instanceof SSA::SsaUncertainImplicitUpdate {
+    SsaDefinition getPriorDefinition() { result = super.getPriorDef() }
+  }
+
+  class GuardValue = Guards::GuardValue;
+
+  predicate ssaControlsBranchEdge(SsaDefinition def, BasicBlock bb1, BasicBlock bb2, GuardValue v) {
+    Guards::Guards_v3::ssaControlsBranchEdge(def, bb1, bb2, v)
+  }
+
+  predicate ssaControls(SsaDefinition def, BasicBlock bb, GuardValue v) {
+    Guards::Guards_v3::ssaControls(def, bb, v)
+  }
+
+  import Guards::Guards_v3::InternalUtil
+}
+
+module ControlFlow = Make<Location, Cfg, ControlFlowInput>;
@@ -10,7 +10,7 @@ private import RangeUtils
 private import RangeAnalysis
 
 /** Gets an expression that might have the value `i`. */
-private Expr exprWithIntValue(int i) {
+deprecated private Expr exprWithIntValue(int i) {
   result.(ConstantIntegerExpr).getIntValue() = i or
   result.(ChooseExpr).getAResultExpr() = exprWithIntValue(i)
 }
@@ -19,11 +19,11 @@ private Expr exprWithIntValue(int i) {
  * An expression for which the predicate `integerGuard` is relevant.
  * This includes `VarRead` and `MethodCall`.
  */
-class IntComparableExpr extends Expr {
+deprecated class IntComparableExpr extends Expr {
   IntComparableExpr() { this instanceof VarRead or this instanceof MethodCall }
 
   /** Gets an integer that is directly assigned to the expression in case of a variable; or zero. */
-  int relevantInt() {
+  deprecated int relevantInt() {
     exists(SsaExplicitUpdate ssa, SsaSourceVariable v |
       this = v.getAnAccess() and
       ssa.getSourceVariable() = v and
@@ -55,14 +55,18 @@ private predicate comparison(ComparisonExpr comp, boolean branch, Expr e1, Expr
  * Holds if `guard` evaluating to `branch` ensures that:
  * `e <= k` when `upper = true`
  * `e >= k` when `upper = false`
+ *
+ * Does _not_ include the constant comparison case where the guard directly
+ * ensures `e == k`.
  */
 pragma[nomagic]
 predicate rangeGuard(Expr guard, boolean branch, Expr e, int k, boolean upper) {
   exists(EqualityTest eqtest, Expr c |
     eqtest = guard and
     eqtest.hasOperands(e, c) and
     bounded(c, any(ZeroBound zb), k, upper, _) and
-    branch = eqtest.polarity()
+    branch = eqtest.polarity() and
+    not c instanceof ConstantIntegerExpr
   )
   or
   exists(Expr c, int val, boolean strict, int d |
@@ -87,6 +91,30 @@ predicate rangeGuard(Expr guard, boolean branch, Expr e, int k, boolean upper) {
 }
 
 /**
+ * Gets an expression that directly tests whether a given expression, `e`, is
+ * non-zero.
+ */
+Expr nonZeroGuard(Expr e, boolean branch) {
+  exists(EqualityTest eqtest, boolean polarity, int k |
+    eqtest = result and
+    eqtest.hasOperands(e, any(ConstantIntegerExpr c | c.getIntValue() = k)) and
+    polarity = eqtest.polarity()
+  |
+    k = 0 and branch = polarity.booleanNot()
+    or
+    k != 0 and branch = polarity
+  )
+  or
+  exists(int val, boolean upper | rangeGuard(result, branch, e, val, upper) |
+    upper = true and val < 0 // e <= val < 0  ==>  e != 0
+    or
+    upper = false and val > 0 // e >= val > 0  ==>  e != 0
+  )
+}
+
+/**
+ * DEPRECATED.
+ *
  * An expression that directly tests whether a given expression is equal to `k` or not.
  * The set of `k`s is restricted to those that are relevant for the expression or
  * have a direct comparison with the expression.
@@ -95,7 +123,7 @@ predicate rangeGuard(Expr guard, boolean branch, Expr e, int k, boolean upper) {
  * is true, and different from `k` if `is_k` is false.
  */
 pragma[nomagic]
-Expr integerGuard(IntComparableExpr e, boolean branch, int k, boolean is_k) {
+deprecated Expr integerGuard(IntComparableExpr e, boolean branch, int k, boolean is_k) {
   exists(EqualityTest eqtest, boolean polarity |
     eqtest = result and
     eqtest.hasOperands(e, any(ConstantIntegerExpr c | c.getIntValue() = k)) and
@@ -119,13 +147,15 @@ Expr integerGuard(IntComparableExpr e, boolean branch, int k, boolean is_k) {
 }
 
 /**
+ * DEPRECATED: Use `rangeGuard` instead.
+ *
  * A guard that splits the values of a variable into one range with an upper bound of `k-1`
  * and one with a lower bound of `k`.
  *
  * If `branch_with_lower_bound_k` is true then `result` is equivalent to `k <= x`
  * and if it is false then `result` is equivalent to `k > x`.
  */
-Expr intBoundGuard(VarRead x, boolean branch_with_lower_bound_k, int k) {
+deprecated Expr intBoundGuard(VarRead x, boolean branch_with_lower_bound_k, int k) {
   exists(ComparisonExpr comp, ConstantIntegerExpr c, int val |
     comp = result and
     comp.hasOperands(x, c) and