Data flow: Inline local(Expr|Instruction)?(Flow|Taint)

Computing a full transitive closure is often bad; by inlining all calls we are providing more context to the QL optimizer.
2025-12-18 01:33:15 +01:00 · 2022-01-31 14:28:45 +01:00
parent 56ac99039f
commit f2352d8272
13 changed files with 25 additions and 1 deletions
--- a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowUtil.qll
+++ b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowUtil.qll
@@ -15,6 +15,7 @@ predicate localFlowStep(Node nodeFrom, Node nodeTo) { simpleLocalFlowStep(nodeFr
 * Holds if data flows from `source` to `sink` in zero or more local
 * (intra-procedural) steps.
 */
+pragma[inline]
 predicate localFlow(Node source, Node sink) { localFlowStep*(source, sink) }

 /**
--- a/python/ql/lib/semmle/python/dataflow/new/internal/TaintTrackingPublic.qll
+++ b/python/ql/lib/semmle/python/dataflow/new/internal/TaintTrackingPublic.qll
@@ -14,12 +14,14 @@ private import semmle.python.Frameworks
 * Holds if taint propagates from `source` to `sink` in zero or more local
 * (intra-procedural) steps.
 */
+pragma[inline]
 predicate localTaint(DataFlow::Node source, DataFlow::Node sink) { localTaintStep*(source, sink) }

 /**
 * Holds if taint can flow from `e1` to `e2` in zero or more local (intra-procedural)
 * steps.
 */
+pragma[inline]
 predicate localExprTaint(Expr e1, Expr e2) {
  localTaint(DataFlow::exprNode(e1), DataFlow::exprNode(e2))
 }