[sound flow analysis] Implement behaviors for is and as.

This change updates the flow analysis logic for `is` and `as`
expressions so that when the language feature `sound-flow-analysis` is
enabled, the static type of the operand is compared to the type to the
right of the `is` or `as` keyword. If one of the types is non-nullable
and the other type is `Null`, then the type test is known to fail. For
an `as` expression, this means that the code path following the
expression will be marked as unreachable. For an `is` expression, this
means that any code paths that assume it evaluates to `true` will be
marked as unreachable.

Note that these new behaviors break assumptions made by three
pre-existing flow analysis tests. I was able to adjust one of the
tests ("equalityOp_end does not set reachability for `this`") to
preserve its old behavior. The other two tests became redundant, so I
removed them.

There is no behavioral change if the feature `sound-flow-analysis` is
disabled.

Bug: #60438
Change-Id: Ib3a9e96bd39cf7df4c6c297568763c0f25bc9e39
Reviewed-on: https://dart-review.googlesource.com/c/sdk/+/420164
Reviewed-by: Konstantin Shcheglov <[email protected]>
Reviewed-by: Chloe Stefantsova <[email protected]>
Commit-Queue: Paul Berry <[email protected]>

Author: stereotype441

pkg/_fe_analyzer_shared/lib/src/flow_analysis/flow_analysis.dart

@@ -210,8 +210,10 @@ abstract class FlowAnalysis<Node extends Object, Statement extends Node,
   /// Call this method after visiting an "as" expression.
   ///
   /// [subExpression] should be the expression to which the "as" check was
-  /// applied.  [type] should be the type being checked.
-  void asExpression_end(Expression subExpression, Type type);
+  /// applied, and [subExpressionType] should be its static type. [castType]
+  /// should be the type being cast to.
+  void asExpression_end(Expression subExpression,
+      {required Type subExpressionType, required Type castType});
 
   /// Call this method after visiting the condition part of an assert statement
   /// (or assert initializer).
@@ -659,11 +661,13 @@ abstract class FlowAnalysis<Node extends Object, Statement extends Node,
   /// Call this method after visiting the LHS of an "is" expression.
   ///
   /// [isExpression] should be the complete expression.  [subExpression] should
-  /// be the expression to which the "is" check was applied.  [isNot] should be
-  /// a boolean indicating whether this is an "is" or an "is!" expression.
-  /// [type] should be the type being checked.
+  /// be the expression to which the "is" check was applied, and
+  /// [subExpressionType] should be its static type. [isNot] should be a
+  /// boolean indicating whether this is an "is" or an "is!" expression.
+  /// [checkedType] should be the type being checked.
   void isExpression_end(
-      Expression isExpression, Expression subExpression, bool isNot, Type type);
+      Expression isExpression, Expression subExpression, bool isNot,
+      {required Type subExpressionType, required Type checkedType});
 
   /// Return whether the [variable] is definitely unassigned in the current
   /// state.
@@ -1214,9 +1218,13 @@ class FlowAnalysisDebug<Node extends Object, Statement extends Node,
   FlowAnalysisOperations<Variable, Type> get operations => _wrapped.operations;
 
   @override
-  void asExpression_end(Expression subExpression, Type type) {
-    _wrap('asExpression_end($subExpression, $type)',
-        () => _wrapped.asExpression_end(subExpression, type));
+  void asExpression_end(Expression subExpression,
+      {required Type subExpressionType, required Type castType}) {
+    _wrap(
+        'asExpression_end($subExpression, subExpressionType: '
+        '$subExpressionType, castType: $castType)',
+        () => _wrapped.asExpression_end(subExpression,
+            subExpressionType: subExpressionType, castType: castType));
   }
 
   @override
@@ -1573,12 +1581,14 @@ class FlowAnalysisDebug<Node extends Object, Statement extends Node,
   }
 
   @override
-  void isExpression_end(Expression isExpression, Expression subExpression,
-      bool isNot, Type type) {
+  void isExpression_end(
+      Expression isExpression, Expression subExpression, bool isNot,
+      {required Type subExpressionType, required Type checkedType}) {
     _wrap(
-        'isExpression_end($isExpression, $subExpression, $isNot, $type)',
-        () => _wrapped.isExpression_end(
-            isExpression, subExpression, isNot, type));
+        'isExpression_end($isExpression, $subExpression, $isNot, '
+        'subExpressionType: $subExpressionType, checkedType: $checkedType)',
+        () => _wrapped.isExpression_end(isExpression, subExpression, isNot,
+            subExpressionType: subExpressionType, checkedType: checkedType));
   }
 
   @override
@@ -4290,7 +4300,7 @@ class _FlowAnalysisImpl<Node extends Object, Statement extends Node,
     implements
         FlowAnalysis<Node, Statement, Expression, Variable, Type>,
         _PropertyTargetHelper<Expression, Type> {
-  /// Options affecting the behavior of flow analysis.
+  /// Language features enables affecting the behavior of flow analysis.
   final TypeAnalyzerOptions typeAnalyzerOptions;
 
   /// The [FlowAnalysisOperations], used to access types, check subtyping, and
@@ -4413,10 +4423,18 @@ class _FlowAnalysisImpl<Node extends Object, Statement extends Node,
   FlowAnalysisTypeOperations<Type> get typeOperations => operations;
 
   @override
-  void asExpression_end(Expression subExpression, Type type) {
+  void asExpression_end(Expression subExpression,
+      {required Type subExpressionType, required Type castType}) {
+    // Depending on types, flow analysis may be able to prove that the `as`
+    // expression is guaranteed to fail.
+    if (_isTypeCheckGuaranteedToFailWithSoundNullSafety(
+        staticType: subExpressionType, checkedType: castType)) {
+      _current = _current.setUnreachable();
+    }
+
     _Reference<Type>? reference = _getExpressionReference(subExpression);
     if (reference == null) return;
-    _current = _current.tryPromoteForTypeCast(this, reference, type);
+    _current = _current.tryPromoteForTypeCast(this, reference, castType);
   }
 
   @override
@@ -4950,16 +4968,19 @@ class _FlowAnalysisImpl<Node extends Object, Statement extends Node,
   }
 
   @override
-  void isExpression_end(Expression isExpression, Expression subExpression,
-      bool isNot, Type type) {
-    if (operations.isBottomType(type)) {
+  void isExpression_end(
+      Expression isExpression, Expression subExpression, bool isNot,
+      {required Type subExpressionType, required Type checkedType}) {
+    if (operations.isBottomType(checkedType) ||
+        _isTypeCheckGuaranteedToFailWithSoundNullSafety(
+            staticType: subExpressionType, checkedType: checkedType)) {
       booleanLiteral(isExpression, isNot);
     } else {
       _Reference<Type>? subExpressionReference =
           _getExpressionReference(subExpression);
       if (subExpressionReference != null) {
-        ExpressionInfo<Type> expressionInfo =
-            _current.tryPromoteForTypeCheck(this, subExpressionReference, type);
+        ExpressionInfo<Type> expressionInfo = _current.tryPromoteForTypeCheck(
+            this, subExpressionReference, checkedType);
         _storeExpressionInfo(
             isExpression, isNot ? expressionInfo._invert() : expressionInfo);
       }
@@ -6063,6 +6084,32 @@ class _FlowAnalysisImpl<Node extends Object, Statement extends Node,
     }
   }
 
+  /// Determines whether an expression having the given [staticType] is
+  /// guaranteed to fail an `is` or `as` check using [checkedType] due to sound
+  /// null safety.
+  ///
+  /// If [TypeAnalyzerOptions.soundFlowAnalysisEnabled] is `false`, this method
+  /// will return `false` regardless of its input. This reflects the fact that
+  /// in language versions prior to the introduction of sound flow analysis,
+  /// flow analysis assumed that the program might be executing in unsound null
+  /// safety mode.
+  bool _isTypeCheckGuaranteedToFailWithSoundNullSafety(
+      {required Type staticType, required Type checkedType}) {
+    if (!typeAnalyzerOptions.soundFlowAnalysisEnabled) return false;
+    switch (typeOperations.classifyType(staticType)) {
+      case TypeClassification.nonNullable
+          when typeOperations.classifyType(checkedType) ==
+              TypeClassification.nullOrEquivalent:
+      case TypeClassification.nullOrEquivalent
+          when typeOperations.classifyType(checkedType) ==
+              TypeClassification.nonNullable:
+        // Guaranteed to fail due to nullability mismatch.
+        return true;
+      default:
+        return false;
+    }
+  }
+
   FlowModel<Type> _join(FlowModel<Type>? first, FlowModel<Type>? second) =>
       FlowModel.join(this, first, second);
 

pkg/_fe_analyzer_shared/lib/src/type_inference/type_analyzer.dart

@@ -2744,11 +2744,14 @@ class TypeAnalyzerOptions {
 
   final bool inferenceUpdate4Enabled;
 
+  final bool soundFlowAnalysisEnabled;
+
   TypeAnalyzerOptions({
     required this.patternsEnabled,
     required this.inferenceUpdate3Enabled,
     required this.respectImplicitlyTypedVarInitializers,
     required this.fieldPromotionEnabled,
     required this.inferenceUpdate4Enabled,
+    required this.soundFlowAnalysisEnabled,
   });
 }

pkg/_fe_analyzer_shared/test/flow_analysis/flow_analysis_test.dart

@@ -564,7 +564,7 @@ main() {
       h.thisType = 'C';
       h.addSuperInterfaces('C', (_) => [Type('Object')]);
       h.run([
-        if_(this_.is_('Null'), [
+        if_(this_.is_('Null', isInverted: true), [
           if_(this_.eq(nullLiteral), [
             checkReachable(true),
           ], [
@@ -1693,27 +1693,6 @@ main() {
       _checkIs('int', 'String', null, null, inverted: true);
     });
 
-    test('isExpression_end does nothing if applied to a non-variable', () {
-      h.run([
-        if_(expr('Null').is_('int'), [
-          checkReachable(true),
-        ], [
-          checkReachable(true),
-        ]),
-      ]);
-    });
-
-    test('isExpression_end does nothing if applied to a non-variable, inverted',
-        () {
-      h.run([
-        if_(expr('Null').isNot('int'), [
-          checkReachable(true),
-        ], [
-          checkReachable(true),
-        ]),
-      ]);
-    });
-
     test('isExpression_end() does not promote write-captured vars', () {
       var x = Var('x');
       h.run([
@@ -10667,6 +10646,134 @@ main() {
       });
     });
   });
+
+  group('Sound null safety:', () {
+    group('<nonNull> as Null:', () {
+      test('When enabled, is guaranteed to throw', () {
+        h.run([
+          expr('int').as_('Null'),
+          checkReachable(false),
+        ]);
+      });
+
+      test('When disabled, no effect', () {
+        h.disableSoundFlowAnalysis();
+        h.run([
+          expr('int').as_('Null'),
+          checkReachable(true),
+        ]);
+      });
+    });
+
+    group('<Null> as <nonNullable>:', () {
+      test('When enabled, is guaranteed to throw', () {
+        h.run([
+          expr('Null').as_('int'),
+          checkReachable(false),
+        ]);
+      });
+
+      test('When disabled, no effect', () {
+        h.disableSoundFlowAnalysis();
+        h.run([
+          expr('Null').as_('int'),
+          checkReachable(true),
+        ]);
+      });
+    });
+
+    group('<nonNull> is Null:', () {
+      test('When enabled, is guaranteed false', () {
+        h.run([
+          if_(expr('int').is_('Null'), [
+            checkReachable(false),
+          ], [
+            checkReachable(true),
+          ]),
+        ]);
+      });
+
+      test('When disabled, no effect', () {
+        h.disableSoundFlowAnalysis();
+        h.run([
+          if_(expr('int').is_('Null'), [
+            checkReachable(true),
+          ], [
+            checkReachable(true),
+          ]),
+        ]);
+      });
+    });
+
+    group('<nonNull> is! Null:', () {
+      test('When enabled, is guaranteed false', () {
+        h.run([
+          if_(expr('int').is_('Null', isInverted: true), [
+            checkReachable(true),
+          ], [
+            checkReachable(false),
+          ]),
+        ]);
+      });
+
+      test('When disabled, no effect', () {
+        h.disableSoundFlowAnalysis();
+        h.run([
+          if_(expr('int').is_('Null', isInverted: true), [
+            checkReachable(true),
+          ], [
+            checkReachable(true),
+          ]),
+        ]);
+      });
+    });
+
+    group('<Null> is <nonNullable>:', () {
+      test('When enabled, is guaranteed false', () {
+        h.run([
+          if_(expr('Null').is_('int'), [
+            checkReachable(false),
+          ], [
+            checkReachable(true),
+          ]),
+        ]);
+      });
+
+      test('When disabled, no effect', () {
+        h.disableSoundFlowAnalysis();
+        h.run([
+          if_(expr('Null').is_('int'), [
+            checkReachable(true),
+          ], [
+            checkReachable(true),
+          ]),
+        ]);
+      });
+    });
+
+    group('<Null> is! <nonNullable>:', () {
+      test('When enabled, is guaranteed false', () {
+        h.run([
+          if_(expr('Null').is_('int', isInverted: true), [
+            checkReachable(true),
+          ], [
+            checkReachable(false),
+          ]),
+        ]);
+      });
+
+      test('When disabled, no effect', () {
+        h.disableSoundFlowAnalysis();
+        h.run([
+          if_(expr('Null').is_('int', isInverted: true), [
+            checkReachable(true),
+          ], [
+            checkReachable(true),
+          ]),
+        ]);
+      });
+    });
+  });
 }
 
 /// Returns the appropriate matcher for expecting an assertion error to be