UnguardedNullReturnDereference: Honor _Analysis_assume_

_Analysis_assume_(Expr) tells the analyzer to treat Expr as true. MSVC
compiles __assume() into an empty statement with no AST node, but the
EmptyStmt remains in the control flow graph at the macro invocation
site. The query was not recognizing this as a null guard:

  NBL *Nbl = DequeueNbl(&Queue);
  _Analysis_assume_(Nbl);
  NET_BUFFER_LIST_STATUS(Nbl) = NDIS_STATUS_FAILURE;  // flagged

Match the EmptyStmt at the _Analysis_assume_ location as a barrier by
correlating it with the macro invocation that names the guarded
variable. Also match AssumeExpr directly for compilers that emit it.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

Author: zx2c4

src/microsoft/Likely Bugs/UnguardedNullReturnDereference.ql

@@ -139,6 +139,19 @@ class UnguardedNullReturnDereferenceReachability extends StackVariableReachabili
         "_checked_pointer_impl", "_fail_on_unexpected_null_pointer", "_fail_on_memory_op"]
       and c.getAnArgument().getAChild*() = v.getAnAccess()
       and c = node)
+    or
+    exists(AssumeExpr ae |
+      ae = node and
+      ae.getOperand().getAChild*() = v.getAnAccess()
+    )
+    or
+    exists(MacroInvocation mi |
+      mi.getMacroName() = "_Analysis_assume_" and
+      mi.getUnexpandedArgument(0) = v.getName() and
+      node.getLocation().getFile() = mi.getLocation().getFile() and
+      node.getLocation().getStartLine() = mi.getLocation().getStartLine() and
+      node instanceof EmptyStmt
+    )
   }
 }