Data flow: Reduce doublyBoundedFastTC use in StoreReadMatching

hvitved · hvitved · commit 184df7ebca43 · 2024-09-05T13:14:40.000+02:00
diff --git a/shared/dataflow/codeql/dataflow/internal/DataFlowImplCommon.qll b/shared/dataflow/codeql/dataflow/internal/DataFlowImplCommon.qll
@@ -2338,6 +2338,8 @@ module MakeImplCommon<LocationSig Location, InputSig<Location> Lang> {
   signature module StoreReadMatchingInputSig {
     class NodeEx {
       string toString();
+
+      DataFlowType getDataFlowType();
     }
 
     predicate nodeRange(NodeEx node, boolean fromArg, DataFlowCallOption callCtx);
@@ -2370,13 +2372,6 @@ module MakeImplCommon<LocationSig Location, InputSig<Location> Lang> {
    * The implementation is based on `doublyBoundedFastTC`, and in order to avoid poor
    * performance through recursion, we unroll the recursion manually 4 times, in order to
    * be able to handle access paths of maximum length 5.
-   *
-   * Additionally, in order to speed up the join with `doublyBoundedFastTC`, we first
-   * compute three pruning steps:
-   *
-   * 1. Which _contents_ may have matching read-store pairs (called `contentIsReadAndStored` below).
-   * 2. Which store targets may have _a_ matching read (called `storeMayReachARead` below).
-   * 3. Which reads may have _a_ matching store (called `aStoreMayReachRead` below).
    */
   module StoreReadMatching<StoreReadMatchingInputSig Input> {
     private import codeql.util.Boolean
@@ -2396,36 +2391,24 @@ module MakeImplCommon<LocationSig Location, InputSig<Location> Lang> {
       );
     }
 
-    private newtype TNodeOrContent =
-      TNodeOrContentNode(
-        NodeEx n, Boolean usesPrevDelta, boolean fromArg, DataFlowCallOption callCtx
-      ) {
+    private newtype TNodeExt =
+      MkNodeExt(NodeEx n, Boolean usesPrevDelta, boolean fromArg, DataFlowCallOption callCtx) {
         nodeRange(n, fromArg, callCtx)
-      } or
-      TNodeOrContentStoreContent(Content c) { storeContentStep(_, c, _) } or
-      TNodeOrContentReadContent(Content c) { readContentStep(_, c, _) }
+      }
 
-    private class NodeOrContent extends TNodeOrContent {
+    private class NodeExt extends MkNodeExt {
       NodeEx asNodeEx(boolean usesPrevDelta, boolean fromArg, DataFlowCallOption callCtx) {
-        this = TNodeOrContentNode(result, usesPrevDelta, fromArg, callCtx)
+        this = MkNodeExt(result, usesPrevDelta, fromArg, callCtx)
       }
 
-      Content asStoreContent() { this = TNodeOrContentStoreContent(result) }
-
-      Content asReadContent() { this = TNodeOrContentReadContent(result) }
+      DataFlowType getType() { result = this.asNodeEx(_, _, _).getDataFlowType() }
 
-      string toString() {
-        result = this.asStoreContent().toString()
-        or
-        result = this.asReadContent().toString()
-        or
-        result = this.asNodeEx(_, _, _).toString()
-      }
+      string toString() { result = this.asNodeEx(_, _, _).toString() }
     }
 
     pragma[nomagic]
     private predicate stepNodeCommon(
-      NodeOrContent node1, NodeEx n2, boolean usesPrevDelta2, Boolean fromArg2,
+      NodeExt node1, NodeEx n2, boolean usesPrevDelta2, Boolean fromArg2,
       DataFlowCallOption callCtx2
     ) {
       exists(NodeEx n1, boolean fromArg1, DataFlowCallOption callCtx1 |
@@ -2467,7 +2450,7 @@ module MakeImplCommon<LocationSig Location, InputSig<Location> Lang> {
 
       pragma[nomagic]
       private predicate stepNode(
-        NodeOrContent node1, NodeEx n2, boolean usesPrevDelta2, Boolean fromArg2,
+        NodeExt node1, NodeEx n2, boolean usesPrevDelta2, Boolean fromArg2,
         DataFlowCallOption callCtx2
       ) {
         enabled() and
@@ -2487,135 +2470,51 @@ module MakeImplCommon<LocationSig Location, InputSig<Location> Lang> {
       }
 
       pragma[nomagic]
-      private predicate step(NodeOrContent node1, NodeOrContent node2) {
+      private predicate step(NodeExt node1, NodeExt node2) {
         exists(NodeEx n2, boolean usesPrevDelta2, boolean fromArg2, DataFlowCallOption callCtx2 |
           n2 = node2.asNodeEx(usesPrevDelta2, fromArg2, callCtx2) and
           stepNode(node1, n2, usesPrevDelta2, fromArg2, callCtx2)
         )
-        or
-        enabled() and
-        (
-          exists(NodeEx n2, Content c, boolean usesPrevDelta2 |
-            n2 = node2.asNodeEx(usesPrevDelta2, _, _) and
-            c = node1.asStoreContent() and
-            storeContentStep(_, c, n2) and
-            usesPrevDelta2 = false
-          )
-          or
-          exists(NodeEx n1, Content c, boolean usesPrevDelta1 |
-            n1 = node1.asNodeEx(usesPrevDelta1, _, _) and
-            c = node2.asReadContent() and
-            readContentStep(n1, c, _) and
-            usesPrevDelta(usesPrevDelta1)
-          )
-        )
       }
 
-      private predicate isStoreContent(NodeOrContent c) {
-        enabled() and
-        exists(c.asStoreContent())
-      }
-
-      private predicate isReadContent(NodeOrContent c) {
-        enabled() and
-        exists(c.asReadContent())
-      }
-
-      private predicate contentReachesReadTc(NodeOrContent node1, NodeOrContent node2) =
-        doublyBoundedFastTC(step/2, isStoreContent/1, isReadContent/1)(node1, node2)
-
       pragma[nomagic]
-      private predicate contentIsReadAndStoredJoin(NodeOrContent c1, NodeOrContent c2, Content c) {
-        enabled() and
-        c1.asStoreContent() = c and
-        c2.asReadContent() = c
-      }
-
-      additional predicate contentIsReadAndStored(Content c) {
-        exists(NodeOrContent n1, NodeOrContent n2 |
-          contentReachesReadTc(n1, n2) and
-          contentIsReadAndStoredJoin(n1, n2, c)
-        )
-      }
-
-      pragma[nomagic]
-      private predicate isStoreTarget0(NodeOrContent node, Content c) {
+      private predicate isStoreTarget0(NodeExt node, Content c) {
         exists(boolean usesPrevDelta |
-          contentIsReadAndStored(c) and
           storeContentStep(_, c, node.asNodeEx(usesPrevDelta, _, _)) and
           usesPrevDelta = false
         )
       }
 
-      private predicate isStoreTarget(NodeOrContent node) { isStoreTarget0(node, _) }
+      private predicate isStoreTarget(NodeExt node) { isStoreTarget0(node, _) }
 
       pragma[nomagic]
-      private predicate isReadSource0(NodeOrContent node, Content c) {
+      private predicate isReadSource0(NodeExt node, Content c) {
         exists(boolean usesPrevDelta |
-          contentIsReadAndStored(c) and
           readContentStep(node.asNodeEx(usesPrevDelta, _, _), c, _) and
           usesPrevDelta(usesPrevDelta)
         )
       }
 
-      private predicate isReadSource(NodeOrContent node) { isReadSource0(node, _) }
-
-      private predicate storeMayReachAReadTc(NodeOrContent node1, NodeOrContent node2) =
-        doublyBoundedFastTC(step/2, isStoreTarget/1, isReadContent/1)(node1, node2)
-
-      pragma[nomagic]
-      private predicate storeMayReachAReadJoin(NodeOrContent n1, NodeOrContent n2, Content c) {
-        isStoreTarget0(n1, c) and
-        n2.asReadContent() = c
-      }
-
-      private predicate storeMayReachARead(NodeOrContent node1, Content c) {
-        exists(NodeOrContent node2 |
-          storeMayReachAReadTc(node1, node2) and
-          storeMayReachAReadJoin(node1, node2, c)
-        )
-      }
-
-      private predicate aStoreMayReachReadTc(NodeOrContent node1, NodeOrContent node2) =
-        doublyBoundedFastTC(step/2, isStoreContent/1, isReadSource/1)(node1, node2)
-
-      pragma[nomagic]
-      private predicate aStoreMayReachReadJoin(NodeOrContent n1, NodeOrContent n2, Content c) {
-        n1.asStoreContent() = c and
-        isReadSource0(n2, c)
-      }
-
-      additional predicate aStoreMayReachRead(NodeOrContent node2, Content c) {
-        exists(NodeOrContent node1 |
-          aStoreMayReachReadTc(node1, node2) and
-          aStoreMayReachReadJoin(node1, node2, c)
-        )
-      }
-
-      private predicate isStoreTargetPruned(NodeOrContent node) { storeMayReachARead(node, _) }
-
-      private predicate isReadSourcePruned(NodeOrContent node) { aStoreMayReachRead(node, _) }
+      private predicate isReadSource(NodeExt node) { isReadSource0(node, _) }
 
-      private predicate storeMayReachReadTc(NodeOrContent node1, NodeOrContent node2) =
-        doublyBoundedFastTC(step/2, isStoreTargetPruned/1, isReadSourcePruned/1)(node1, node2)
+      private predicate storeMayReachReadTc(NodeExt node1, NodeExt node2) =
+        doublyBoundedFastTC(step/2, isStoreTarget/1, isReadSource/1)(node1, node2)
 
       pragma[nomagic]
       private predicate storeMayReachReadDeltaJoinLeft(
-        NodeEx node1, Content c, NodeOrContent node2, boolean fromArg2, DataFlowCallOption callCtx2
+        NodeEx node1, Content c, NodeExt node2, boolean fromArg2, DataFlowCallOption callCtx2
       ) {
         exists(boolean usesPrevDelta |
-          storeMayReachARead(pragma[only_bind_into](node2), pragma[only_bind_into](c)) and
           storeContentStep(node1, c, node2.asNodeEx(usesPrevDelta, fromArg2, callCtx2)) and
           usesPrevDelta = false
         )
       }
 
       pragma[nomagic]
       private predicate storeMayReachReadDeltaJoinRight(
-        NodeOrContent node1, Content c, NodeEx node2, boolean fromArg1, DataFlowCallOption callCtx1
+        NodeExt node1, Content c, NodeEx node2, boolean fromArg1, DataFlowCallOption callCtx1
       ) {
         exists(boolean usesPrevDelta |
-          aStoreMayReachRead(pragma[only_bind_into](node1), pragma[only_bind_into](c)) and
           readContentStep(node1.asNodeEx(usesPrevDelta, fromArg1, callCtx1), c, node2) and
           usesPrevDelta(usesPrevDelta)
         )
@@ -2626,10 +2525,20 @@ module MakeImplCommon<LocationSig Location, InputSig<Location> Lang> {
         NodeEx storeSource, Content c, NodeEx readTarget, boolean fromArg1, boolean fromArg2,
         DataFlowCallOption callCtx1, DataFlowCallOption callCtx2
       ) {
-        exists(NodeOrContent storeTarget, NodeOrContent readSource |
+        exists(NodeExt storeTarget, NodeExt readSource |
           storeMayReachReadTc(storeTarget, readSource) and
           storeMayReachReadDeltaJoinLeft(storeSource, c, storeTarget, fromArg1, callCtx1) and
-          storeMayReachReadDeltaJoinRight(readSource, c, readTarget, fromArg2, callCtx2)
+          storeMayReachReadDeltaJoinRight(readSource, c, readTarget, fromArg2, callCtx2) and
+          (
+            compatibleTypesFilter(storeTarget.getType(), readSource.getType())
+            or
+            not exists(readSource.getType())
+          ) and
+          (
+            compatibleTypesFilter(storeSource.getDataFlowType(), readTarget.getDataFlowType())
+            or
+            not exists(readTarget.getDataFlowType())
+          )
         ) and
         not Prev::storeMayReachReadPrev(storeSource, c, readTarget, fromArg1, fromArg2, callCtx1,
           callCtx2)
@@ -2679,7 +2588,6 @@ module MakeImplCommon<LocationSig Location, InputSig<Location> Lang> {
         or
         // special case only needed for the first iteration: a store immediately followed by a read
         exists(NodeEx storeTargetReadSource |
-          StoreReachesRead1::contentIsReadAndStored(c) and
           storeContentStep(storeSource, c, storeTargetReadSource) and
           readContentStep(storeTargetReadSource, c, readTarget)
         ) and
