github · aschackmull · Sep 2, 2025 · Aug 27, 2025 · Aug 27, 2025 · Aug 27, 2025
@@ -3,6 +3,8 @@ private import codeql.controlflow.Cfg as CfgShared
 private import codeql.Locations
 
 module Completion {
+  import codeql.controlflow.SuccessorType
+
   private newtype TCompletion =
     TSimpleCompletion() or
     TBooleanCompletion(boolean b) { b in [false, true] } or
@@ -25,7 +27,7 @@ module Completion {
 
     override predicate isValidFor(AstNode e) { not any(Completion c).isValidForSpecific(e) }
 
-    override NormalSuccessor getAMatchingSuccessorType() { any() }
+    override DirectSuccessor getAMatchingSuccessorType() { any() }
   }
 
   class BooleanCompletion extends NormalCompletion, TBooleanCompletion {
@@ -49,34 +51,6 @@ module Completion {
 
     override ReturnSuccessor getAMatchingSuccessorType() { any() }
   }
-
-  cached
-  private newtype TSuccessorType =
-    TNormalSuccessor() or
-    TBooleanSuccessor(boolean b) { b in [false, true] } or
-    TReturnSuccessor()
-
-  class SuccessorType extends TSuccessorType {
-    string toString() { none() }
-  }
-
-  class NormalSuccessor extends SuccessorType, TNormalSuccessor {
-    override string toString() { result = "successor" }
-  }
-
-  class BooleanSuccessor extends SuccessorType, TBooleanSuccessor {
-    boolean value;
-
-    BooleanSuccessor() { this = TBooleanSuccessor(value) }
-
-    override string toString() { result = value.toString() }
-
-    boolean getValue() { result = value }
-  }
-
-  class ReturnSuccessor extends SuccessorType, TReturnSuccessor {
-    override string toString() { result = "return" }
-  }
 }
 
 module CfgScope {
@@ -127,14 +101,8 @@ private module Implementation implements CfgShared::InputSig<Location> {
     last(scope.(CompositeAction), e, c)
   }
 
-  predicate successorTypeIsSimple(SuccessorType t) { t instanceof NormalSuccessor }
-
-  predicate successorTypeIsCondition(SuccessorType t) { t instanceof BooleanSuccessor }
-
   SuccessorType getAMatchingSuccessorType(Completion c) { result = c.getAMatchingSuccessorType() }
 
-  predicate isAbnormalExitType(SuccessorType t) { none() }
-
   int idOfAstNode(AstNode node) { none() }
 
   int idOfCfgScope(CfgScope scope) { none() }

@@ -2,6 +2,7 @@
  * Provides classes that specify the conditions under which control flows along a given edge.
  */
 
+private import codeql.controlflow.SuccessorType
 private import internal.EdgeKindInternal
 
 private newtype TEdgeKind =
@@ -28,6 +29,21 @@
 
 final class EdgeKind = EdgeKindImpl;
 
+private SuccessorType getAMatchingSpecificSuccessorType(EdgeKind k) {
+  result.(BooleanSuccessor).getValue() = true and k instanceof TrueEdge
+  or
+  result.(BooleanSuccessor).getValue() = false and k instanceof FalseEdge
+  or
+  result instanceof ExceptionSuccessor and k instanceof ExceptionEdge
+}
+
+SuccessorType getAMatchingSuccessorType(EdgeKind k) {
+  result = getAMatchingSpecificSuccessorType(k)
+  or
+  not exists(getAMatchingSpecificSuccessorType(k)) and
+  result instanceof DirectSuccessor
+}
+
 /**
  * A "goto" edge, representing the unconditional successor of an `Instruction`
  * or `IRBlock`.

@@ -265,9 +265,9 @@ private predicate isEntryBlock(TIRBlock block) {
 }
 
 module IRCfg implements BB::CfgSig<Language::Location> {
-  class ControlFlowNode = Instruction;
+  private import codeql.controlflow.SuccessorType
 
-  class SuccessorType = EdgeKind;
+  class ControlFlowNode = Instruction;
 
   final private class FinalIRBlock = IRBlock;
 
@@ -280,7 +280,12 @@ module IRCfg implements BB::CfgSig<Language::Location> {
 
     BasicBlock getASuccessor() { result = super.getASuccessor() }
 
-    BasicBlock getASuccessor(SuccessorType t) { result = super.getSuccessor(t) }
+    BasicBlock getASuccessor(SuccessorType t) {
+      exists(EdgeKind k |
+        result = super.getSuccessor(k) and
+        t = getAMatchingSuccessorType(k)
+      )
+    }
 
     predicate strictlyDominates(BasicBlock bb) { super.strictlyDominates(bb) }
 

@@ -265,9 +265,9 @@ private predicate isEntryBlock(TIRBlock block) {
 }
 
 module IRCfg implements BB::CfgSig<Language::Location> {
-  class ControlFlowNode = Instruction;
+  private import codeql.controlflow.SuccessorType
 
-  class SuccessorType = EdgeKind;
+  class ControlFlowNode = Instruction;
 
   final private class FinalIRBlock = IRBlock;
 
@@ -280,7 +280,12 @@ module IRCfg implements BB::CfgSig<Language::Location> {
 
     BasicBlock getASuccessor() { result = super.getASuccessor() }
 
-    BasicBlock getASuccessor(SuccessorType t) { result = super.getSuccessor(t) }
+    BasicBlock getASuccessor(SuccessorType t) {
+      exists(EdgeKind k |
+        result = super.getSuccessor(k) and
+        t = getAMatchingSuccessorType(k)
+      )
+    }
 
     predicate strictlyDominates(BasicBlock bb) { super.strictlyDominates(bb) }
 

@@ -265,9 +265,9 @@ private predicate isEntryBlock(TIRBlock block) {
 }
 
 module IRCfg implements BB::CfgSig<Language::Location> {
-  class ControlFlowNode = Instruction;
+  private import codeql.controlflow.SuccessorType
 
-  class SuccessorType = EdgeKind;
+  class ControlFlowNode = Instruction;
 
   final private class FinalIRBlock = IRBlock;
 
@@ -280,7 +280,12 @@ module IRCfg implements BB::CfgSig<Language::Location> {
 
     BasicBlock getASuccessor() { result = super.getASuccessor() }
 
-    BasicBlock getASuccessor(SuccessorType t) { result = super.getSuccessor(t) }
+    BasicBlock getASuccessor(SuccessorType t) {
+      exists(EdgeKind k |
+        result = super.getSuccessor(k) and
+        t = getAMatchingSuccessorType(k)
+      )
+    }
 
     predicate strictlyDominates(BasicBlock bb) { super.strictlyDominates(bb) }
 

@@ -10,7 +10,6 @@ module Stages {
   cached
   module ControlFlowStage {
     private import semmle.code.csharp.controlflow.internal.Splitting
-    private import semmle.code.csharp.controlflow.internal.SuccessorType
     private import semmle.code.csharp.controlflow.Guards as Guards
 
     cached
@@ -20,8 +19,6 @@ module Stages {
     private predicate forceCachingInSameStageRev() {
       exists(Split s)
       or
-      exists(SuccessorType st)
-      or
       exists(ControlFlow::Node n)
       or
       Guards::Internal::isCustomNullCheck(_, _, _, _)

@@ -6,9 +6,7 @@ private import semmle.code.csharp.commons.StructuralComparison as StructuralComp
 
 pragma[noinline]
 private predicate isConstantCondition0(ControlFlow::Node cfn, boolean b) {
-  exists(
-    cfn.getASuccessorByType(any(ControlFlow::SuccessorTypes::BooleanSuccessor t | t.getValue() = b))
-  ) and
+  exists(cfn.getASuccessorByType(any(ControlFlow::BooleanSuccessor t | t.getValue() = b))) and
   strictcount(ControlFlow::SuccessorType t | exists(cfn.getASuccessorByType(t))) = 1
 }
 

@@ -3,7 +3,7 @@
  */
 
 import csharp
-private import ControlFlow::SuccessorTypes
+private import ControlFlow
 private import semmle.code.csharp.controlflow.internal.ControlFlowGraphImpl as CfgImpl
 private import CfgImpl::BasicBlocks as BasicBlocksImpl
 private import codeql.controlflow.BasicBlock as BB
@@ -346,8 +346,6 @@ private class EntryBasicBlockAlias = EntryBasicBlock;
 module Cfg implements BB::CfgSig<Location> {
   class ControlFlowNode = ControlFlow::Node;
 
-  class SuccessorType = ControlFlow::SuccessorType;
-
   class BasicBlock = BasicBlockAlias;
 
   class EntryBasicBlock = EntryBasicBlockAlias;

@@ -5,7 +5,6 @@ private import semmle.code.csharp.ExprOrStmtParent
 private import semmle.code.csharp.commons.Compilation
 private import ControlFlow
 private import ControlFlow::BasicBlocks
-private import SuccessorTypes
 private import semmle.code.csharp.Caching
 private import internal.ControlFlowGraphImpl as Impl
 

@@ -6,7 +6,6 @@ import csharp
 module ControlFlow {
   private import semmle.code.csharp.controlflow.BasicBlocks as BBs
   import semmle.code.csharp.controlflow.internal.SuccessorType
-  private import SuccessorTypes
   private import internal.ControlFlowGraphImpl as Impl
   private import internal.Splitting as Splitting
 

@@ -3,7 +3,7 @@
  */
 
 import csharp
-private import ControlFlow::SuccessorTypes
+private import ControlFlow
 private import semmle.code.csharp.commons.Assertions
 private import semmle.code.csharp.commons.ComparisonTest
 private import semmle.code.csharp.commons.StructuralComparison as SC
@@ -1424,6 +1424,7 @@ module Internal {
 
       cached
       predicate isGuard(Expr e, AbstractValue val) {
+        Stages::ControlFlowStage::forceCachingInSameStage() and
         (
           e.getType() instanceof BoolType and
           not e instanceof BoolLiteral and

@@ -26,7 +26,6 @@
 private import ControlFlowGraphImpl
 private import NonReturning
 private import SuccessorType
-private import SuccessorTypes
 
 private newtype TCompletion =
   TSimpleCompletion() or
@@ -575,7 +574,7 @@
 
 /** A simple (normal) completion. */
 class SimpleCompletion extends NonNestedNormalCompletion, TSimpleCompletion {
-  override NormalSuccessor getAMatchingSuccessorType() { any() }
+  override DirectSuccessor getAMatchingSuccessorType() { any() }
 
   override string toString() { result = "normal" }
 }
@@ -859,7 +858,7 @@
   /** Gets the label of the `goto` completion. */
   string getLabel() { result = label }
 
-  override GotoSuccessor getAMatchingSuccessorType() { result.getLabel() = label }
+  override GotoSuccessor getAMatchingSuccessorType() { any() }
 
   override string toString() {
     // `NestedCompletion` defines `toString()` for the other case
@@ -882,7 +881,7 @@
   /** Gets the type of the exception being thrown. */
   ExceptionClass getExceptionClass() { result = ec }
 
-  override ExceptionSuccessor getAMatchingSuccessorType() { result.getExceptionClass() = ec }
+  override ExceptionSuccessor getAMatchingSuccessorType() { any() }
 
   override string toString() {
     // `NestedCompletion` defines `toString()` for the other case

@@ -79,23 +79,10 @@ private module CfgInput implements CfgShared::InputSig<Location> {
     Impl::scopeLast(scope, last, c)
   }
 
-  class SuccessorType = ST::SuccessorType;
+  private class SuccessorType = ST::SuccessorType;
 
   SuccessorType getAMatchingSuccessorType(Completion c) { result = c.getAMatchingSuccessorType() }
 
-  predicate successorTypeIsSimple(SuccessorType t) {
-    t instanceof ST::SuccessorTypes::NormalSuccessor
-  }
-
-  predicate successorTypeIsCondition(SuccessorType t) {
-    t instanceof ST::SuccessorTypes::ConditionalSuccessor
-  }
-
-  predicate isAbnormalExitType(SuccessorType t) {
-    t instanceof ST::SuccessorTypes::ExceptionSuccessor or
-    t instanceof ST::SuccessorTypes::ExitSuccessor
-  }
-
   int idOfAstNode(AstNode node) { result = node.getId() }
 
   int idOfCfgScope(CfgScope node) { result = idOfAstNode(node) }

@@ -150,7 +150,7 @@ class ConditionBlock extends PreBasicBlock {
   }
 
   pragma[nomagic]
-  predicate controls(PreBasicBlock controlled, Cfg::SuccessorTypes::ConditionalSuccessor s) {
+  predicate controls(PreBasicBlock controlled, Cfg::ConditionalSuccessor s) {
     exists(PreBasicBlock succ, ConditionalCompletion c |
       conditionBlockImmediatelyControls(this, succ, c)
     |
@@ -163,8 +163,6 @@ class ConditionBlock extends PreBasicBlock {
 module PreCfg implements BB::CfgSig<Location> {
   class ControlFlowNode = ControlFlowElement;
 
-  class SuccessorType = Cfg::SuccessorType;
-
   class BasicBlock = PreBasicBlock;
 
   class EntryBasicBlock extends BasicBlock {

@@ -82,6 +82,8 @@ module PreSsa {
   }
 
   module SsaInput implements SsaImplCommon::InputSig<Location, PreBasicBlocks::PreBasicBlock> {
+    private import semmle.code.csharp.Caching
+
     private class ExitBasicBlock extends PreBasicBlocks::PreBasicBlock {
       ExitBasicBlock() { scopeLast(_, this.getLastNode(), _) }
     }
@@ -124,6 +126,7 @@ module PreSsa {
     predicate variableWrite(
       PreBasicBlocks::PreBasicBlock bb, int i, SourceVariable v, boolean certain
     ) {
+      Stages::ControlFlowStage::forceCachingInSameStage() and
       exists(AssignableDefinition def |
         definitionAt(def, bb, i, v) and
         if def.getTargetAccess().isRefArgument() then certain = false else certain = true