Add compiler-generated code dataflow analysis

[sbomer]

Still a work in progress, but feel free to take an early look!

edit: After some discussion I changed the approach. See old notes below for the earlier approach.

This treats fields of display classes and state machines as hoisted locals. We track all assignments to hoisted locals within a method group (the set of compiler-generated code reachable from a given user method). The analysis is technically flow-insensitive, because it assumes that any assignment to a hoisted local can reach any read of the same local. This will produce extra warnings in some cases, but it closes the holes in the original approach:

• State will "flow" out of nested functions. That is, writes (to hoisted locals) within nested functions will reach reads in the enclosing user method
• Lambdas are analyzed at the point of delegate conversion, but with all possible states of captured variables. So effectively, writes after the lambda declaration will reach reads within the lambda.

Previously, hoisted locals were treated as unannotated, so they would produce dataflow warnings if they reached an annotated location. Now that we analyze hoisted locals, cases where the value satisfies requirements at the point of consumption won't warn. This means that accessing these fields (representing hoisted locals) via reflection is problematic, since it could mutate the values of these fields and invalidate the correctness analysis. For this reason we now warn on reflection access to compiler-generated fields.

To prevent noise, we only warn for reflection access to compiler-generated fields that represent types which may be annotated - so Type, string, etc. - but not int. This is technically a hole because ints also participate in dataflow analysis but per discussion with @vitek-karas I think we agree that this is an ok tradeoff.

---

Old notes:

This flows state through hoisted locals in state machine methods, and into nested functions (lambdas/local functions). Some caveats to be aware of:

• Lambdas are analyzed with the state of captured variables at the point of delegate conversion, not at the point of invocation (which would require tracking delegates as dataflow values). This is an analysis hole in some cases. It follows the model for nullable analysis, which has an analysis hole in this case for lambdas but not for local functions: https://sharplab.io/#v2:EYLgtghglgdgNAFxFANnAJiA1AHwAIBMAjALABQAxDAK4ooTAoCmABEzA8+XgMwuEsAwiwDe5FhP588AFhYBZABQBKUeMkbBAfhYBjFgF4WMJgHchKgNzqNEvEQIsUhlisMA+NWVs/+RAJyKugB0ACoA9gDKCABOsADmKsrW3r4Avim+LDa2siwAMuG6ECh4AKwIUOEwbgae9oEhEdFxMInKyTkaXZL6RjR0mb4oVj0ShcWlFVU1nakSaeSLZEA=
• This doesn't track state flowing out of nested functions. Again, similar to nullable: https://sharplab.io/#v2:EYLgtghglgdgNAFxFANnAJiA1AHwAIBMAjALABQAxDAK4ooTAoCmABEzA8+XgMwuEsAwiwDe5FhP588AFhYBZABQBKUeMkbBAfhYBjFgF4WMJgHchKgNzqNEvEQIsUhlisMA+NWVs+9LmnTW3r4AvkG+LDa2siwAMgD2uhAoeACsCFDxMG4GnvpGAShBURooViWSCUkp6ZnZyuG+9gCciroAdAAq8QDKCABOsADmKg1RIeQTZEA=.

@vitek-karas @agocke @MichalStrehovsky I'm curious to hear your opinion on whether we should try to plug those holes, or if this approach is good enough.

[sbomer]

@vitek-karas I think this is ready - PTAL! @jtschuster I would also appreciate your review since you have experience with the locals tracking logic.

[jtschuster]

LGTM, Thank you!

[vitek-karas]

Regarding the potential holes with reflection access to closure fields:

• I'm mostly worried about noise - we've seen cases where All is applied to a type, if this type uses state machines/closures anywhere all of the fields on those subtypes will be marked with "Reflection access" and can generate warnings. This is often counter intuitive and hard to diagnose where the warning came from (and why), and also is tricky to fix - suppressions are problematic (especially since they would typically apply to entire types) and real fix is basically impossible.
• With that said - reducing noise from this should be a relatively high priority. Personally I would not mind if we leave some holes behind in favor of reducing noise - ideally with a plan how to "plug" them.
• So the int hole - I'm perfectly OK with that.
• We need to test this, we might need to ignore string as well (even though it can carry annotations) - again to reduce noise.
• The reason I'm OKish leaving holes in this - It is VERY unlikely the reflection will be actually exercised at runtime and even less so to modify the field's value. And honestly, if somebody is doing private reflection on compiler generated code with modifications... I'm fine if that's the one case where we break them.
• Going forward if this becomes a sore point we can do a lot better by:
  • Add the ability to track access to values (fields, parameters) during data flow analysis - basically being able to determine which values where used to make marking/warning decisions. This is relatively easy, just needs a good C# model to make it easy to write and reliable.
  • Once we have that we would use that to determine which of the hoisted fields are actually interesting for data flow - not just a heuristic based on their type. And then we would warn on reflection access only to those fields. Such warnings would greatly reduce the noise ratio (but still relatively high - as noted above I doubt we will see code which actually wants to reflect over the compiler generated stuff).

[vitek-karas]

This might hold for the analyzer, but doesn't hold for linker (there are other compilers producing IL which may not implement definite assignment).
I'm fine with the current behavior for now, but we should probably file an issue on this at least.

That said it's probably not a big problem:
Runtime behavior of such case (unless we get something wrong) is that the field will have its default value (so typically null) - which typically means the analysis will ignore/skip it anyway.

[sbomer]

Filed #2871

[vitek-karas]

This needs another comment which basically says that the skipWarningsForOverride=true can only happen on MoveNext like methods in compiler generated code, that it will never happen for local functions and alike. Meaning that it's never going to happen that we decided to not warn above and would also skip warning here.
Reason: Technically the logic here is wrong, the warnsOnReflection is true regardless if we produced warning above or not (due to override auto-suppression) and that will suppress producing the compiler-generated warning here. But it will never actually matter. So I'm fine keeping the code as-is, but I think this needs good explanation.

[sbomer]

I added a comment and also tried to make this more clear by renaming the variables to isReflectionAccessCoveredByRUC/DAM. There's still a naming issue because the skipWarningsForOverride check isn't part of ShouldWarnWhenAccessedForReflection (so ShouldWarn says true, but then we still might not warn) - but I don't want to clean all of that up here.

[vitek-karas]

Looks good - thanks!

[vitek-karas]

Can't wait for all of this light up :-)