[STAL-2713] Implement phi nodes

[jasonforal]

What problem are you trying to solve?

Our taint analysis implementation in #493 in omitted the handling of conditional (and mutually exclusive) control flow. This leads to incorrect analysis:
For example:

String y = alt0;
if (condition) {
    y = alt1;
} else {
    y = alt2;
}
y;

The above program is currently treated as:

String y = alt0;
{
    y = alt1;
} {
    y = alt2;
}
y;

This leads to a flow graph that incorrectly believes the y at line 7 can never be alt1 because it always gets re-assigned to alt2:

What is your solution?

The technique chosen takes inspiration from static single-assignment (SSA) form and how it handles merge points in a control-flow graph (CFG).

Specifically, we introduce phi nodes to our flow graph. Phi nodes are able to encapsulate control flow constructs that have mutually exclusive branches (e.g if/else). Upon entering a control flow construct with branches, we record all assignments and treat them as possible. Then, when exiting the control flow construct, we reconcile/merge the possible assignments, and then redefine the variable as the phi node.

Our graph then correctly becomes:

The above program represents an exhaustively-assigned variable. In the case where a variable isn't exhaustively assigned, the phi node references the definition of the variable before entering the control flow construct. For example:

String y = alt0;
if (condition) {
    y = alt1;
} else if (otherCondition) {
    y = alt2;
}
y;

Phi operands can be other phi nodes in the case of nested control flow:

String y = alt0;
if (condition) {
    y = alt1;
    if (otherCondition) {
        y = alt2;
    }
}
y;

Technical Details

• A Digraph node can now be either a CST node or a phi node. This is implemented as an additional bit shift for the performance reasons outlined in [STAL-2195] Initial implementation of intra-method taint analysis in Java #493 and is especially important now that graph edges need to encode whether the node is a CST or a phi node.
• A traditional way to determine if a variable is exhaustively assigned would be to construct a CFG and then construct a dominance frontier based on the CFG. Instead, we use an unconventional (but radically simpler) implementation where we just manually annotate if branch represents an consequent or alternative, and track which branches assignments occur in. (This is a good solution given we never construct an explicit CFG).

Limitations

• Path reachability is not performed. if (false) { y = alt1 } will be treated as a possible execution path.
• The "scope"s implemented are control flow scopes. Variable name scopes are yet to be implemented.

Alternatives considered

What the reviewer should know

• A traversal context is added just to accommodate future extensions.
• "ScopeBlock" and "ConditionalBlock" are CFG concepts -- while somewhat confusing, they should not be conflated with a CST block (defined by the code syntax "{ ... }")