Merge pull request #11112 from MathiasVP/local-expr-flow

MathiasVP · web-flow · commit b95163cfe4f7 · 2022-11-04T10:32:27.000Z
C++: Improve `Buffer.qll` performance
diff --git a/cpp/ql/lib/semmle/code/cpp/commons/Buffer.qll b/cpp/ql/lib/semmle/code/cpp/commons/Buffer.qll
@@ -73,47 +73,33 @@ private int isSource(Expr bufferExpr, Element why) {
   )
 }
 
-private predicate localFlowToExprStep(DataFlow::Node n1, DataFlow::Node n2) {
-  not exists(n2.asExpr()) and
-  DataFlow::localFlowStep(n1, n2)
-}
-
-/** Holds if `n2 + delta` may be equal to `n1`. */
-private predicate localFlowStepToExpr(Expr e1, Expr e2) {
-  getBufferSizeCand0(e1) and
-  exists(DataFlow::Node n1, DataFlow::Node mid, DataFlow::Node n2 |
-    n1.asExpr() = e1 and
-    localFlowToExprStep*(n1, mid) and
-    DataFlow::localFlowStep(mid, n2) and
-    n2.asExpr() = e2
-  )
-}
-
 /**
  * Holds if `e2` is an expression that is derived from `e1` such that if `e1[n]` is a
  * well-defined expression for some number `n`, then `e2[n + delta]` is also a well-defined
  * expression.
  */
 private predicate step(Expr e1, Expr e2, int delta) {
   getBufferSizeCand0(e1) and
-  exists(Variable bufferVar, Class parentClass, VariableAccess parentPtr, int bufferSize |
-    e1 = parentPtr
-  |
-    bufferVar = e2.(VariableAccess).getTarget() and
-    // buffer is the parentPtr->bufferVar of a 'variable size struct'
-    memberMayBeVarSize(parentClass, bufferVar) and
-    parentPtr = e2.(VariableAccess).getQualifier() and
-    parentPtr.getTarget().getUnspecifiedType().(PointerType).getBaseType() = parentClass and
-    (
-      if exists(bufferVar.getType().getSize())
-      then bufferSize = bufferVar.getType().getSize()
-      else bufferSize = 0
-    ) and
-    delta = bufferSize - parentClass.getSize()
+  (
+    exists(Variable bufferVar, Class parentClass, VariableAccess parentPtr, int bufferSize |
+      e1 = parentPtr
+    |
+      bufferVar = e2.(VariableAccess).getTarget() and
+      // buffer is the parentPtr->bufferVar of a 'variable size struct'
+      memberMayBeVarSize(parentClass, bufferVar) and
+      parentPtr = e2.(VariableAccess).getQualifier() and
+      parentPtr.getTarget().getUnspecifiedType().(PointerType).getBaseType() = parentClass and
+      (
+        if exists(bufferVar.getType().getSize())
+        then bufferSize = bufferVar.getType().getSize()
+        else bufferSize = 0
+      ) and
+      delta = bufferSize - parentClass.getSize()
+    )
+    or
+    DataFlow::localExprFlowStep(e1, e2) and
+    delta = 0
   )
-  or
-  localFlowStepToExpr(e1, e2) and
-  delta = 0
 }
 
 pragma[nomagic]
diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
@@ -1322,7 +1322,36 @@ predicate localInstructionFlow(Instruction e1, Instruction e2) {
  * local (intra-procedural) steps.
  */
 pragma[inline]
-predicate localExprFlow(Expr e1, Expr e2) { localFlow(exprNode(e1), exprNode(e2)) }
+predicate localExprFlow(Expr e1, Expr e2) { localExprFlowStep*(e1, e2) }
+
+/**
+ * Holds if `n1.asExpr()` doesn't have a result and `n1` flows to `n2` in a single
+ * dataflow step.
+ */
+private predicate localStepFromNonExpr(Node n1, Node n2) {
+  not exists(n1.asExpr()) and
+  localFlowStep(n1, n2)
+}
+
+/**
+ * Holds if `n1.asExpr()` doesn't have a result, `n2.asExpr() = e2` and
+ * `n2` is the first node reachable from `n1` such that `n2.asExpr()` exists.
+ */
+pragma[nomagic]
+private predicate localStepsToExpr(Node n1, Node n2, Expr e2) {
+  localStepFromNonExpr*(n1, n2) and
+  e2 = n2.asExpr()
+}
+
+/** Holds if data can flow from `e1` to `e2` in one local (intra-procedural) step. */
+cached
+predicate localExprFlowStep(Expr e1, Expr e2) {
+  exists(Node mid, Node n1, Node n2 |
+    localFlowStep(n1, mid) and
+    localStepsToExpr(mid, n2, e2) and
+    e1 = n1.asExpr()
+  )
+}
 
 cached
 private newtype TContent =
