add the cached stages pattern to Python

erik-krogh · erik-krogh · commit 71eacea90b3a · 2022-03-30T22:53:59.000+02:00
diff --git a/python/ql/lib/semmle/python/Flow.qll b/python/ql/lib/semmle/python/Flow.qll
@@ -1,5 +1,6 @@
 import python
 private import semmle.python.pointsto.PointsTo
+private import semmle.python.internal.CachedStages
 
 /*
  * Note about matching parent and child nodes and CFG splitting:
@@ -122,7 +123,9 @@ class ControlFlowNode extends @py_flow_node {
   AstNode getNode() { py_flow_bb_node(this, result, _, _) }
 
   /** Gets a textual representation of this element. */
+  cached
   string toString() {
+    Stages::DataFlow::ref() and
     exists(Scope s | s.getEntryNode() = this | result = "Entry node for " + s.toString())
     or
     exists(Scope s | s.getANormalExit() = this | result = "Exit node for " + s.toString())
@@ -1011,6 +1014,7 @@ class BasicBlock extends @py_flow_node {
 
   cached
   BasicBlock getImmediateDominator() {
+    Stages::SSA::ref() and
     this.firstNode().getImmediateDominator().getBasicBlock() = result
   }
 
diff --git a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPublic.qll b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPublic.qll
@@ -110,13 +110,19 @@ private DataFlowCallable getCallableScope(Scope s) {
   result = getCallableScope(s.getEnclosingScope())
 }
 
+private import semmle.python.internal.CachedStages
+
 /**
  * An element, viewed as a node in a data flow graph. Either an SSA variable
  * (`EssaNode`) or a control flow node (`CfgNode`).
  */
 class Node extends TNode {
   /** Gets a textual representation of this element. */
-  string toString() { result = "Data flow node" }
+  cached
+  string toString() {
+    Stages::DataFlow::ref() and
+    result = "Data flow node"
+  }
 
   /** Gets the scope of this node. */
   Scope getScope() { none() }
@@ -134,9 +140,11 @@ class Node extends TNode {
    * For more information, see
    * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
    */
+  cached
   predicate hasLocationInfo(
     string filepath, int startline, int startcolumn, int endline, int endcolumn
   ) {
+    Stages::DataFlow::ref() and
     this.getLocation().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
   }
 
diff --git a/python/ql/lib/semmle/python/dataflow/new/internal/LocalSources.qll b/python/ql/lib/semmle/python/dataflow/new/internal/LocalSources.qll
@@ -9,6 +9,7 @@
 import python
 import DataFlowPublic
 private import DataFlowPrivate
+private import semmle.python.internal.CachedStages
 
 /**
  * A data flow node that is a source of local flow. This includes things like
@@ -33,6 +34,7 @@ private import DataFlowPrivate
 class LocalSourceNode extends Node {
   cached
   LocalSourceNode() {
+    Stages::DataFlow::ref() and
     this instanceof ExprNode and
     not simpleLocalFlowStep(_, this)
     or
@@ -176,6 +178,7 @@ private module Cached {
    */
   cached
   predicate hasLocalSource(Node sink, LocalSourceNode source) {
+    Stages::DataFlow::ref() and
     source = sink
     or
     exists(Node second |
diff --git a/python/ql/lib/semmle/python/dataflow/new/internal/TaintTrackingPrivate.qll b/python/ql/lib/semmle/python/dataflow/new/internal/TaintTrackingPrivate.qll
@@ -3,6 +3,7 @@ private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.dataflow.new.internal.DataFlowPrivate as DataFlowPrivate
 private import semmle.python.dataflow.new.internal.TaintTrackingPublic
 private import semmle.python.ApiGraphs
+private import semmle.python.internal.CachedStages
 
 /**
  * Holds if `node` should be a sanitizer in all global taint flow configurations
@@ -30,6 +31,7 @@ private module Cached {
    */
   cached
   predicate defaultAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+    Stages::Taint::ref() and
     localAdditionalTaintStep(nodeFrom, nodeTo)
     or
     any(AdditionalTaintStep a).step(nodeFrom, nodeTo)
@@ -42,6 +44,7 @@ private module Cached {
    */
   cached
   predicate localAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+    Stages::Taint::ref() and
     concatStep(nodeFrom, nodeTo)
     or
     subscriptStep(nodeFrom, nodeTo)
diff --git a/python/ql/lib/semmle/python/essa/Essa.qll b/python/ql/lib/semmle/python/essa/Essa.qll
@@ -5,6 +5,7 @@
 import python
 private import SsaCompute
 import semmle.python.essa.Definitions
+private import semmle.python.internal.CachedStages
 
 /** An (enhanced) SSA variable derived from `SsaSourceVariable`. */
 class EssaVariable extends TEssaDefinition {
@@ -270,6 +271,7 @@ class PhiFunction extends EssaDefinition, TPhiFunction {
   /** Gets the input variable for this phi node on the edge `pred` -> `this.getBasicBlock()`, if any. */
   cached
   EssaVariable getInput(BasicBlock pred) {
+    Stages::SSA::ref() and
     result.getDefinition() = this.reachingDefinition(pred)
     or
     result.getDefinition() = this.inputEdgeRefinement(pred)
diff --git a/python/ql/lib/semmle/python/essa/SsaCompute.qll b/python/ql/lib/semmle/python/essa/SsaCompute.qll
@@ -90,6 +90,7 @@
  */
 
 import python
+private import semmle.python.internal.CachedStages
 
 cached
 private module SsaComputeImpl {
@@ -308,6 +309,7 @@ private module SsaComputeImpl {
      */
     cached
     predicate reachesEndOfBlock(SsaSourceVariable v, BasicBlock defbb, int defindex, BasicBlock b) {
+      Stages::SSA::ref() and
       Liveness::liveAtExit(v, b) and
       (
         defbb = b and
diff --git a/python/ql/lib/semmle/python/essa/SsaDefinitions.qll b/python/ql/lib/semmle/python/essa/SsaDefinitions.qll
@@ -5,12 +5,14 @@
 
 import python
 private import semmle.python.pointsto.Base
+private import semmle.python.internal.CachedStages
 
 cached
 module SsaSource {
   /** Holds if `v` is used as the receiver in a method call. */
   cached
   predicate method_call_refinement(Variable v, ControlFlowNode use, CallNode call) {
+    Stages::SSA::ref() and
     use = v.getAUse() and
     call.getFunction().(AttrNode).getObject() = use and
     not test_contains(_, call)
diff --git a/python/ql/lib/semmle/python/internal/Awaited.qll b/python/ql/lib/semmle/python/internal/Awaited.qll
@@ -6,6 +6,7 @@
 
 private import python
 private import semmle.python.dataflow.new.DataFlow
+private import semmle.python.internal.CachedStages
 
 /**
  * INTERNAL: Do not use.
@@ -14,6 +15,7 @@ private import semmle.python.dataflow.new.DataFlow
  */
 cached
 DataFlow::Node awaited(DataFlow::Node awaitedValue) {
+  Stages::DataFlow::ref() and
   // `await` x
   // - `awaitedValue` is `x`
   // - `result` is `await x`
diff --git a/python/ql/lib/semmle/python/internal/CachedStages.qll b/python/ql/lib/semmle/python/internal/CachedStages.qll
@@ -0,0 +1,140 @@
+/**
+ * INTERNAL: Do not use.
+ *
+ * The purpose of this file is to control which cached predicates belong to the same stage.
+ *
+ * Combining stages can improve performance as we are more likely to reuse shared, non-cached predicates.
+ *
+ * To make a predicate `p` belong to a stage `A`:
+ * - make `p` depend on `A::ref()`, and
+ * - make `A::backref()` depend on `p`.
+ *
+ * Since `A` is a cached module, `ref` and `backref` must be in the same stage, and the dependency
+ * chain above thus forces `p` to be in that stage as well.
+ *
+ * With these two predicates in a `cached module` we ensure that all the cached predicates will be in a single stage at runtime.
+ *
+ * Grouping stages can cause unnecessary computation, as a concrete query might not depend on
+ * all the cached predicates in a stage.
+ * Care should therefore be taken not to combine two stages, if it is likely that a query only depend
+ * on some but not all the cached predicates in the combined stage.
+ */
+
+import python
+
+/**
+ * Contains a `cached module` for each stage.
+ * Each `cached module` ensures that predicates that are supposed to be in the same stage, are in the same stage.
+ *
+ * Each `cached module` contain two predicates:
+ * The first, `ref`, always holds, and is referenced from `cached` predicates.
+ * The second, `backref`, contains references to the same `cached` predicates.
+ * The `backref` predicate starts with `1 = 1 or` to ensure that the predicate will be optimized down to a constant by the optimizer.
+ */
+module Stages {
+  /**
+   * The `SSA` stage.
+   */
+  cached
+  module SSA {
+    /**
+     * Always holds.
+     * Ensures that a predicate is evaluated as part of the Ast stage.
+     */
+    cached
+    predicate ref() { 1 = 1 }
+
+    private import semmle.python.essa.SsaDefinitions as SsaDefinitions
+    private import semmle.python.essa.SsaCompute as SsaCompute
+    private import semmle.python.essa.Essa as Essa
+
+    /**
+     * DONT USE!
+     * Contains references to each predicate that use the above `ref` predicate.
+     */
+    cached
+    predicate backref() {
+      1 = 1
+      or
+      SsaDefinitions::SsaSource::method_call_refinement(_, _, _)
+      or
+      SsaCompute::SsaDefinitions::reachesEndOfBlock(_, _, _, _)
+      or
+      exists(any(Essa::PhiFunction p).getInput(_))
+    }
+  }
+
+  /**
+   * The `dataflow` stage.
+   */
+  cached
+  module DataFlow {
+    /**
+     * Always holds.
+     * Ensures that a predicate is evaluated as part of the DataFlow stage.
+     */
+    cached
+    predicate ref() { 1 = 1 }
+
+    private import semmle.python.dataflow.new.internal.DataFlowPublic as DataFlowPublic
+    private import semmle.python.dataflow.new.internal.LocalSources as LocalSources
+    private import semmle.python.internal.Awaited as Awaited
+    private import semmle.python.pointsto.Base as PointsToBase
+    private import semmle.python.types.Object as TypeObject
+    private import semmle.python.objects.TObject as TObject
+    private import semmle.python.Flow as Flow
+
+    /**
+     * DONT USE!
+     * Contains references to each predicate that use the above `ref` predicate.
+     */
+    cached
+    predicate backref() {
+      1 = 1
+      or
+      exists(any(DataFlowPublic::Node node).toString())
+      or
+      any(DataFlowPublic::Node node).hasLocationInfo(_, _, _, _, _)
+      or
+      any(LocalSources::LocalSourceNode n).flowsTo(_)
+      or
+      exists(Awaited::awaited(_))
+      or
+      PointsToBase::BaseFlow::scope_entry_value_transfer_from_earlier(_, _, _, _)
+      or
+      exists(TypeObject::Object a)
+      or
+      exists(TObject::TObject f)
+      or
+      exists(any(Flow::ControlFlowNode c).toString())
+    }
+  }
+
+  /**
+   * The `taint` stage.
+   */
+  cached
+  module Taint {
+    /**
+     * Always holds.
+     * Ensures that a predicate is evaluated as part of the DataFlow stage.
+     */
+    cached
+    predicate ref() { 1 = 1 }
+
+    private import semmle.python.dataflow.new.internal.TaintTrackingPrivate as TaintTrackingPrivate
+
+    /**
+     * DONT USE!
+     * Contains references to each predicate that use the above `ref` predicate.
+     */
+    cached
+    predicate backref() {
+      1 = 1
+      or
+      TaintTrackingPrivate::localAdditionalTaintStep(_, _)
+      or
+      TaintTrackingPrivate::defaultAdditionalTaintStep(_, _)
+    }
+  }
+}
diff --git a/python/ql/lib/semmle/python/objects/TObject.qll b/python/ql/lib/semmle/python/objects/TObject.qll
@@ -5,6 +5,7 @@ private import semmle.python.types.Builtins
 private import semmle.python.objects.ObjectInternal
 private import semmle.python.pointsto.PointsTo
 private import semmle.python.pointsto.PointsToContext
+private import semmle.python.internal.CachedStages
 
 /**
  * Internal type backing `ObjectInternal` and `Value`
diff --git a/python/ql/lib/semmle/python/pointsto/Base.qll b/python/ql/lib/semmle/python/pointsto/Base.qll
@@ -11,6 +11,7 @@
 import python
 import semmle.python.essa.SsaDefinitions
 private import semmle.python.types.Builtins
+private import semmle.python.internal.CachedStages
 
 module BasePointsTo {
   /** INTERNAL -- Use n.refersTo(value, _, origin) instead */
@@ -280,6 +281,7 @@ module BaseFlow {
   predicate scope_entry_value_transfer_from_earlier(
     EssaVariable pred_var, Scope pred_scope, ScopeEntryDefinition succ_def, Scope succ_scope
   ) {
+    Stages::DataFlow::ref() and
     exists(SsaSourceVariable var |
       reaches_exit(pred_var) and
       pred_var.getScope() = pred_scope and
diff --git a/python/ql/lib/semmle/python/pointsto/MRO.qll b/python/ql/lib/semmle/python/pointsto/MRO.qll
@@ -178,10 +178,15 @@ class ClassList extends TClassList {
    * Gets a class list which is the de-duplicated form of the list containing elements of
    * this list from `n` onwards.
    */
+  pragma[noopt]
   ClassList deduplicate(int n) {
     n = this.length() and result = Empty()
     or
-    this.duplicate(n) and result = this.deduplicate(n + 1)
+    exists(int next |
+      this.duplicate(n) and
+      result = this.deduplicate(next) and
+      next = n + 1
+    )
     or
     exists(ClassObjectInternal cls, ClassList tail |
       this.deduplicateCons(n, cls, tail) and
@@ -479,10 +484,12 @@ private predicate needs_reversing(ClassList lst) {
   lst = Empty()
 }
 
+pragma[noopt]
 private predicate reverse_step(ClassList lst, ClassList remainder, ClassList reversed) {
   needs_reversing(lst) and remainder = lst and reversed = Empty()
   or
-  exists(ClassObjectInternal head, ClassList tail |
+  exists(ClassObjectInternal head, ClassList tail, TClassList cons |
+    reverse_step(lst, cons, tail) and
     reversed = Cons(head, tail) and
     reverse_stepCons(lst, remainder, head, tail)
   )
diff --git a/python/ql/lib/semmle/python/types/Object.qll b/python/ql/lib/semmle/python/types/Object.qll
@@ -2,9 +2,11 @@ import python
 private import semmle.python.objects.ObjectAPI
 private import semmle.python.objects.ObjectInternal
 private import semmle.python.types.Builtins
+private import semmle.python.internal.CachedStages
 
 cached
 private predicate is_an_object(@py_object obj) {
+  Stages::DataFlow::ref() and
   /* CFG nodes for numeric literals, all of which have a @py_cobject for the value of that literal */
   obj instanceof ControlFlowNode and
   not obj.(ControlFlowNode).getNode() instanceof IntegerLiteral and
