Cache more things.

MathiasVP · MathiasVP · commit d429f904697a · 2021-10-17T21:54:34.000+01:00
diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/Ssa.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/Ssa.qll
@@ -6,6 +6,7 @@ private import DataFlowUtil
 private import DataFlowPrivate
 private import semmle.code.cpp.models.interfaces.Allocation as Alloc
 
+cached
 private newtype TDefOrUse =
   TExplicitDef(Instruction store) { explicitWrite(_, store, _) } or
   TInitializeParam(Instruction instr) {
@@ -17,6 +18,7 @@ private newtype TDefOrUse =
   TReturnParamIndirection(Operand op) { returnParameterIndirection(op, _) }
 
 pragma[nomagic]
+cached
 private int getRank(DefOrUse defOrUse, IRBlock block) {
   defOrUse =
     rank[result](int i, DefOrUse cand |
@@ -40,7 +42,6 @@ private class DefOrUse extends TDefOrUse {
   abstract IRBlock getBlock();
 
   /** Holds if this definition or use has rank `rank` in block `block`. */
-  cached
   predicate hasRankInBlock(IRBlock block, int rnk) {
     block = getBlock() and
     rnk = getRank(this, block)
@@ -206,20 +207,11 @@ predicate addressFlow(Instruction iFrom, Instruction iTo) {
   )
 }
 
-private predicate valueFlow(Instruction iFrom, Instruction iTo) {
-  iTo.(CopyValueInstruction).getSourceValue() = iFrom
-  or
-  iTo.(ConvertInstruction).getUnary() = iFrom
-  or
-  iTo.(CheckedConvertOrNullInstruction).getUnary() = iFrom
-  or
-  iTo.(InheritanceConversionInstruction).getUnary() = iFrom
-}
-
 /**
  * The reflexive, transitive closure of `addressFlow`. The boolean `readEffect` is `true` if any step in
  * the closure contains a step from the address of a `ReadSideEffectInstruction`.
  */
+cached
 predicate addressFlowTC(Instruction iFrom, Instruction iTo) {
   iFrom = iTo and
   iTo = [getDestinationAddress(_), getSourceAddress(_)]
@@ -270,7 +262,7 @@ Operand getSourceAddressOperand(Instruction instr) {
     ]
 }
 
-predicate nodeLoadFromOperand(Node node, Operand operand) {
+private predicate nodeLoadFromOperand(Node node, Operand operand) {
   operand =
     [
       node.asInstruction().(LoadInstruction).getSourceAddressOperand(),
@@ -309,6 +301,7 @@ Operand getSourceValueOperand(Instruction instr) {
  * The addresses is computed using `address`, and `certain` is `true` if the write is guaranteed to overwrite
  * the entire variable.
  */
+cached
 predicate explicitWrite(boolean certain, Instruction instr, Instruction address) {
   exists(StoreInstruction store |
     store = instr and addressFlowTC(address, store.getDestinationAddress())
@@ -325,145 +318,162 @@ predicate explicitWrite(boolean certain, Instruction instr, Instruction address)
   certain = false
 }
 
-/**
- * Holds if `nodeFrom` is a read or write, and `nTo` is the next subsequent read of the variable
- * written (or read) by `storeOrRead`.
- */
 cached
-predicate ssaFlow(Node nodeFrom, Node nodeTo) {
-  // Def-use/use-use flow from an `InstructionNode` to an `OperandNode`.
-  exists(IRBlock bb1, int i1, IRBlock bb2, int i2, Use defOrUse, Use use, SourceVariable v |
-    defOrUse.hasRankInBlock(bb1, i1) and
-    use.hasRankInBlock(bb2, i2) and
-    use.getVariable() = v and
-    adjacentDefRead(_, bb1, i1, bb2, i2) and
-    nodeFrom.asInstruction() = toInstruction(defOrUse) and
-    flowOutOfAddressStep(use.getOperand(), nodeTo)
-  )
-  or
-  // Use-use flow from a `ReadNode` to an `OperandNode`.
-  exists(ReadNode read, IRBlock bb1, int i1, IRBlock bb2, int i2, Use use1, Use use2 |
-    read = nodeFrom and
-    use1.hasRankInBlock(bb1, i1) and
-    use2.hasRankInBlock(bb2, i2) and
-    use1.getOperand().getDef() = read.getInstruction() and
-    adjacentDefRead(_, bb1, i1, bb2, i2) and
-    flowOutOfAddressStep(use2.getOperand(), nodeTo)
-  )
-  or
-  // Flow from phi nodes
-  exists(PhiNode phi, Use use, IRBlock block, int rnk |
-    phi = nodeFrom.(SsaPhiNode).getPhiNode() and
-    use.hasRankInBlock(block, rnk) and
-    phi.getSourceVariable() = use.getVariable() and
-    flowOutOfAddressStep(use.getOperand(), nodeTo) and
-    adjacentDefRead(_, phi.getBasicBlock(), -1, block, rnk)
-  )
-  or
-  // Flow to phi nodes
-  exists(Def def, StoreNode store, IRBlock block, int rnk |
-    store = nodeFrom and
-    store.isTerminal() and
-    def.getInstruction() = store.getStoreInstruction() and
-    def.hasRankInBlock(block, rnk) and
-    nodeTo.(SsaPhiNode).hasInputAtRankInBlock(block, rnk)
-  )
-  or
-  // Def-use flow from a `StoreNode` to an `OperandNode`.
-  exists(
-    StoreNode store, IRBlock bb1, int i1, IRBlock bb2, int i2, Def def, Use use, Definition ssaDef
-  |
-    store = nodeFrom and
-    store.isTerminal() and
-    def.getInstruction() = store.getStoreInstruction() and
-    def.hasRankInBlock(bb1, i1) and
-    adjacentDefRead(ssaDef, bb1, i1, bb2, i2) and
-    use.hasRankInBlock(bb2, i2) and
-    flowOutOfAddressStep(use.getOperand(), nodeTo)
-  )
-  or
-  // This final case is a bit annoying. The write side effect on an expression like `a = new A;` writes
-  // to a fresh address returned by `operator new`, and there's no easy way to use the shared SSA
-  // library to hook that up to the assignment to `a`. So instead we flow to the _first_ use of the
-  // value computed by `operator new` that occurs after `nodeFrom` (to avoid a loop in the
-  // dataflow graph).
-  exists(StoreNode store, WriteSideEffectInstruction write, IRBlock bb, int i1, int i2, Operand op |
-    store = nodeFrom and
-    store.getInstruction().(CallInstruction).getStaticCallTarget() instanceof
-      Alloc::OperatorNewAllocationFunction and
-    write = store.getStoreInstruction() and
-    bb.getInstruction(i1) = write and
-    bb.getInstruction(i2) = op.getUse() and
-    // Flow to an instruction that occurs later in the block.
-    valueFlow*(store.getInstruction(), op.getDef()) and
-    nodeTo.asOperand() = op and
-    i2 > i1 and
-    // There is no previous instruction that also occurs after `nodeFrom`.
-    not exists(Instruction instr, int i |
-      bb.getInstruction(i) = instr and
-      valueFlow(instr, op.getDef()) and
-      i1 < i and
-      i < i2
+private module Cached {
+  /**
+   * Holds if `nodeFrom` is a read or write, and `nTo` is the next subsequent read of the variable
+   * written (or read) by `storeOrRead`.
+   */
+  cached
+  predicate ssaFlow(Node nodeFrom, Node nodeTo) {
+    // Def-use/use-use flow from an `InstructionNode` to an `OperandNode`.
+    exists(IRBlock bb1, int i1, IRBlock bb2, int i2, Use defOrUse, Use use, SourceVariable v |
+      defOrUse.hasRankInBlock(bb1, i1) and
+      use.hasRankInBlock(bb2, i2) and
+      use.getVariable() = v and
+      adjacentDefRead(_, bb1, i1, bb2, i2) and
+      nodeFrom.asInstruction() = toInstruction(defOrUse) and
+      flowOutOfAddressStep(use.getOperand(), nodeTo)
     )
-  )
-}
+    or
+    // Use-use flow from a `ReadNode` to an `OperandNode`.
+    exists(ReadNode read, IRBlock bb1, int i1, IRBlock bb2, int i2, Use use1, Use use2 |
+      read = nodeFrom and
+      use1.hasRankInBlock(bb1, i1) and
+      use2.hasRankInBlock(bb2, i2) and
+      use1.getOperand().getDef() = read.getInstruction() and
+      adjacentDefRead(_, bb1, i1, bb2, i2) and
+      flowOutOfAddressStep(use2.getOperand(), nodeTo)
+    )
+    or
+    // Flow from phi nodes
+    exists(PhiNode phi, Use use, IRBlock block, int rnk |
+      phi = nodeFrom.(SsaPhiNode).getPhiNode() and
+      use.hasRankInBlock(block, rnk) and
+      phi.getSourceVariable() = use.getVariable() and
+      flowOutOfAddressStep(use.getOperand(), nodeTo) and
+      adjacentDefRead(_, phi.getBasicBlock(), -1, block, rnk)
+    )
+    or
+    // Flow to phi nodes
+    exists(Def def, StoreNode store, IRBlock block, int rnk |
+      store = nodeFrom and
+      store.isTerminal() and
+      def.getInstruction() = store.getStoreInstruction() and
+      def.hasRankInBlock(block, rnk) and
+      nodeTo.(SsaPhiNode).hasInputAtRankInBlock(block, rnk)
+    )
+    or
+    // Def-use flow from a `StoreNode` to an `OperandNode`.
+    exists(
+      StoreNode store, IRBlock bb1, int i1, IRBlock bb2, int i2, Def def, Use use, Definition ssaDef
+    |
+      store = nodeFrom and
+      store.isTerminal() and
+      def.getInstruction() = store.getStoreInstruction() and
+      def.hasRankInBlock(bb1, i1) and
+      adjacentDefRead(ssaDef, bb1, i1, bb2, i2) and
+      use.hasRankInBlock(bb2, i2) and
+      flowOutOfAddressStep(use.getOperand(), nodeTo)
+    )
+    or
+    // This final case is a bit annoying. The write side effect on an expression like `a = new A;` writes
+    // to a fresh address returned by `operator new`, and there's no easy way to use the shared SSA
+    // library to hook that up to the assignment to `a`. So instead we flow to the _first_ use of the
+    // value computed by `operator new` that occurs after `nodeFrom` (to avoid a loop in the
+    // dataflow graph).
+    exists(
+      StoreNode store, WriteSideEffectInstruction write, IRBlock bb, int i1, int i2, Operand op
+    |
+      store = nodeFrom and
+      store.getInstruction().(CallInstruction).getStaticCallTarget() instanceof
+        Alloc::OperatorNewAllocationFunction and
+      write = store.getStoreInstruction() and
+      bb.getInstruction(i1) = write and
+      bb.getInstruction(i2) = op.getUse() and
+      // Flow to an instruction that occurs later in the block.
+      valueFlow*(store.getInstruction(), op.getDef()) and
+      nodeTo.asOperand() = op and
+      i2 > i1 and
+      // There is no previous instruction that also occurs after `nodeFrom`.
+      not exists(Instruction instr, int i |
+        bb.getInstruction(i) = instr and
+        valueFlow(instr, op.getDef()) and
+        i1 < i and
+        i < i2
+      )
+    )
+  }
 
-private predicate flowOutOfAddressStep(Operand operand, Node nTo) {
-  // Flow into a read node
-  exists(ReadNode readNode | readNode = nTo |
-    not exists(readNode.getAPredecessor()) and
-    operand.getDef() = readNode.getInstruction()
-  )
-  or
-  exists(StoreNode storeNode | storeNode = nTo |
-    not exists(storeNode.getAPredecessor()) and
-    // Only transfer flow to a store node if it doesn't immediately overwrite the address
-    // we've just written to.
-    explicitWrite(false, storeNode.getStoreInstruction(), operand.getDef())
-  )
-  or
-  nodeLoadFromOperand(nTo, operand)
-  or
-  exists(ReturnIndirectionInstruction ret |
-    ret.getSourceAddressOperand() = operand and
-    ret = nTo.asInstruction()
-  )
-  or
-  exists(ReturnValueInstruction ret |
-    ret.getReturnAddressOperand() = operand and
-    nTo.asInstruction() = ret
-  )
-  or
-  exists(CallInstruction call, int index, ReadSideEffectInstruction read |
-    call.getArgumentOperand(index) = operand and
-    read.getPrimaryInstruction() = call and
-    read.getIndex() = index and
-    nTo.asOperand() = read.getSideEffectOperand()
-  )
-  or
-  exists(CopyInstruction copy |
-    not exists(getSourceAddressOperand(copy)) and
-    copy.getSourceValueOperand() = operand and
-    flowOutOfAddressStep(copy.getAUse(), nTo)
-  )
-  or
-  exists(ConvertInstruction convert |
-    convert.getUnaryOperand() = operand and
-    flowOutOfAddressStep(convert.getAUse(), nTo)
-  )
-  or
-  exists(CheckedConvertOrNullInstruction convert |
-    convert.getUnaryOperand() = operand and
-    flowOutOfAddressStep(convert.getAUse(), nTo)
-  )
-  or
-  exists(InheritanceConversionInstruction convert |
-    convert.getUnaryOperand() = operand and
-    flowOutOfAddressStep(convert.getAUse(), nTo)
-  )
-  or
-  exists(PointerArithmeticInstruction arith |
-    arith.getLeftOperand() = operand and
-    flowOutOfAddressStep(arith.getAUse(), nTo)
-  )
+  private predicate flowOutOfAddressStep(Operand operand, Node nTo) {
+    // Flow into a read node
+    exists(ReadNode readNode | readNode = nTo |
+      not exists(readNode.getAPredecessor()) and
+      operand.getDef() = readNode.getInstruction()
+    )
+    or
+    exists(StoreNode storeNode | storeNode = nTo |
+      not exists(storeNode.getAPredecessor()) and
+      // Only transfer flow to a store node if it doesn't immediately overwrite the address
+      // we've just written to.
+      explicitWrite(false, storeNode.getStoreInstruction(), operand.getDef())
+    )
+    or
+    nodeLoadFromOperand(nTo, operand)
+    or
+    exists(ReturnIndirectionInstruction ret |
+      ret.getSourceAddressOperand() = operand and
+      ret = nTo.asInstruction()
+    )
+    or
+    exists(ReturnValueInstruction ret |
+      ret.getReturnAddressOperand() = operand and
+      nTo.asInstruction() = ret
+    )
+    or
+    exists(CallInstruction call, int index, ReadSideEffectInstruction read |
+      call.getArgumentOperand(index) = operand and
+      read.getPrimaryInstruction() = call and
+      read.getIndex() = index and
+      nTo.asOperand() = read.getSideEffectOperand()
+    )
+    or
+    exists(CopyInstruction copy |
+      not exists(getSourceAddressOperand(copy)) and
+      copy.getSourceValueOperand() = operand and
+      flowOutOfAddressStep(copy.getAUse(), nTo)
+    )
+    or
+    exists(ConvertInstruction convert |
+      convert.getUnaryOperand() = operand and
+      flowOutOfAddressStep(convert.getAUse(), nTo)
+    )
+    or
+    exists(CheckedConvertOrNullInstruction convert |
+      convert.getUnaryOperand() = operand and
+      flowOutOfAddressStep(convert.getAUse(), nTo)
+    )
+    or
+    exists(InheritanceConversionInstruction convert |
+      convert.getUnaryOperand() = operand and
+      flowOutOfAddressStep(convert.getAUse(), nTo)
+    )
+    or
+    exists(PointerArithmeticInstruction arith |
+      arith.getLeftOperand() = operand and
+      flowOutOfAddressStep(arith.getAUse(), nTo)
+    )
+  }
+
+  private predicate valueFlow(Instruction iFrom, Instruction iTo) {
+    iTo.(CopyValueInstruction).getSourceValue() = iFrom
+    or
+    iTo.(ConvertInstruction).getUnary() = iFrom
+    or
+    iTo.(CheckedConvertOrNullInstruction).getUnary() = iFrom
+    or
+    iTo.(InheritanceConversionInstruction).getUnary() = iFrom
+  }
 }
+
+import Cached
