Merge pull request #15654 from aschackmull/java/static-init-vec-query-perf

Java: Switch helper flow from Global to SimpleGlobal in StaticInitializationVectorQuery.
2025-12-17 01:03:14 +01:00 · 2024-02-21 10:51:16 +01:00
parent f072e41d50 5a348a5048
commit 71f8ccf45f
2 changed files with 25 additions and 20 deletions
--- a/java/ql/lib/semmle/code/java/security/StaticInitializationVectorQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/StaticInitializationVectorQuery.qll
@@ -80,18 +80,21 @@ private class ArrayUpdate extends Expr {
  Expr getArray() { result = array }
 }

-/**
- * A config that tracks dataflow from creating an array to an operation that updates it.
- */
-private module ArrayUpdateConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source.asExpr() instanceof StaticByteArrayCreation }
-
-  predicate isSink(DataFlow::Node sink) { sink.asExpr() = any(ArrayUpdate upd).getArray() }
-
-  predicate isBarrierOut(DataFlow::Node node) { isSink(node) }
+private predicate arrayUpdateSrc(DataFlow::Node source) {
+  source.asExpr() instanceof StaticByteArrayCreation
 }

-private module ArrayUpdateFlow = DataFlow::Global<ArrayUpdateConfig>;
+private predicate arrayUpdateSink(DataFlow::Node sink) {
+  sink.asExpr() = any(ArrayUpdate upd).getArray()
+}
+
+private module ArrayUpdateFlowFwd = DataFlow::SimpleGlobal<arrayUpdateSrc/1>;
+
+private module ArrayUpdateFlow = ArrayUpdateFlowFwd::Graph<arrayUpdateSink/1>;
+
+private predicate arrayReachesUpdate(StaticByteArrayCreation array) {
+  exists(ArrayUpdateFlow::PathNode src | src.isSource() and src.getNode().asExpr() = array)
+}

 /**
 * A source that defines an array that doesn't get updated.
@@ -99,7 +102,7 @@ private module ArrayUpdateFlow = DataFlow::Global<ArrayUpdateConfig>;
 private class StaticInitializationVectorSource extends DataFlow::Node {
  StaticInitializationVectorSource() {
    exists(StaticByteArrayCreation array | array = this.asExpr() |
-      not ArrayUpdateFlow::flow(DataFlow::exprNode(array), _) and
+      not arrayReachesUpdate(array) and
      // Reduce FPs from utility methods that return an empty array in an exceptional case
      not exists(ReturnStmt ret |
        array.getADimension().(CompileTimeConstantExpr).getIntValue() = 0 and
--- a/shared/typetracking/codeql/typetracking/internal/TypeTrackingImpl.qll
+++ b/shared/typetracking/codeql/typetracking/internal/TypeTrackingImpl.qll
@@ -785,24 +785,26 @@ module TypeTracking<TypeTrackingInput I> {
        )
      }

+      private Node getNodeMid(PathNodeFwd n) { n = TPathNodeMid(result, _) }
+
+      private Node getNodeSink(PathNodeFwd n) { n = TPathNodeSink(result) }
+
      private predicate edgeCand(PathNodeFwd n1, PathNodeFwd n2) {
        exists(PathNodeFwd tgt |
-          edgeCand(n1.getNode(), n1.getTypeTracker(), tgt.getNode(), tgt.getTypeTracker())
+          edgeCand(getNodeMid(n1), n1.getTypeTracker(), getNodeMid(tgt), tgt.getTypeTracker())
        |
          n2 = tgt
          or
-          n2 = TPathNodeSink(tgt.getNode()) and tgt.getTypeTracker().end()
+          n2 = TPathNodeSink(getNodeMid(tgt)) and tgt.getTypeTracker().end()
        )
        or
        n1.getTypeTracker().end() and
-        flowsTo(n1.getNode(), n2.getNode()) and
-        n1.getNode() != n2.getNode() and
-        n2 instanceof TPathNodeSink
+        flowsTo(getNodeMid(n1), getNodeSink(n2)) and
+        getNodeMid(n1) != getNodeSink(n2)
        or
-        sourceSimpleLocalSmallSteps(n1.getNode(), n2.getNode()) and
-        n1.getNode() != n2.getNode() and
-        n1.isSource() and
-        n2.isSink()
+        sourceSimpleLocalSmallSteps(n1.getNode(), getNodeSink(n2)) and
+        n1.getNode() != getNodeSink(n2) and
+        n1.isSource()
      }

      private predicate reachRev(PathNodeFwd n) {