wip2

hvitved · hvitved · commit cda67b3edaf3 · 2024-10-22T14:35:44.000+02:00
diff --git a/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll b/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll
@@ -2606,23 +2606,6 @@ module MakeImpl<LocationSig Location, InputSig<Location> Lang> {
           );
         }
 
-        /**
-         * A node where some checking is required, and hence the big-step relation
-         * is not allowed to step over.
-         */
-        additional class FlowCheckNode extends NodeEx {
-          FlowCheckNode() {
-            revFlow(this, _, _) and
-            (
-              castNode(this.asNode()) or
-              clearsContentCached(this.asNode(), _) or
-              expectsContentCached(this.asNode(), _) or
-              neverSkipInPathGraph(this.asNode()) or
-              Config::neverSkip(this.asNode())
-            )
-          }
-        }
-
         /**
          * Provides a big-step relation for local flow steps.
          *
@@ -2631,6 +2614,23 @@ module MakeImpl<LocationSig Location, InputSig<Location> Lang> {
          * reachable in this stage.
          */
         additional module LocalFlowBigStep<LocalFlowBigStepInputSig Input> {
+          /**
+           * A node where some checking is required, and hence the big-step relation
+           * is not allowed to step over.
+           */
+          private class FlowCheckNode extends NodeEx {
+            FlowCheckNode() {
+              revFlow(this, _, _) and
+              (
+                castNode(this.asNode()) or
+                clearsContentCached(this.asNode(), _) or
+                expectsContentCached(this.asNode(), _) or
+                neverSkipInPathGraph(this.asNode()) or
+                Config::neverSkip(this.asNode())
+              )
+            }
+          }
+
           private predicate additionalLocalStateStep(
             NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, DataFlowType t,
             LocalCallContext lcc, string label
@@ -2767,6 +2767,33 @@ module MakeImpl<LocationSig Location, InputSig<Location> Lang> {
             exists(Ap ap |
               localFlowStepPlus(node1, state1, node2, preservesValue, t, callContext, label) and
               localFlowExit(node2, state1, ap) and
+              state1 = state2 and
+              node1 != node2
+            |
+              preservesValue = true or ap instanceof ApNil
+            )
+            or
+            additionalLocalStateStep(node1, state1, node2, state2, t, callContext, label) and
+            preservesValue = false
+          }
+
+          /**
+           * Holds if `node1` can step to `node2` in one or more local steps and this
+           * path can occur as a maximal subsequence of local steps in a dataflow path.
+           *
+           * This predicate should be used when `Input::localStep` is already a big-step
+           * relation, which will do the same as `localFlowBigStep`, but avoids potential
+           * worst-case quadratic complexity.
+           */
+          pragma[nomagic]
+          predicate localFlowBigStepTc(
+            NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
+            DataFlowType t, LocalCallContext callContext, string label
+          ) {
+            exists(Ap ap |
+              localFlowEntry(node1, state1, ap) and
+              Input::localStep(node1, state1, node2, state2, preservesValue, t, callContext, label) and
+              localFlowExit(node2, state2, ap) and
               state1 = state2
             |
               preservesValue = true or ap instanceof ApNil
@@ -3788,7 +3815,7 @@ module MakeImpl<LocationSig Location, InputSig<Location> Lang> {
       import CallContextSensitivity<CallContextSensitivityInput>
       import NoLocalCallContext
 
-      additional module BigStepInput implements PrevStage::LocalFlowBigStepInputSig {
+      private module BigStepInput implements PrevStage::LocalFlowBigStepInputSig {
         bindingset[node1, state1]
         bindingset[node2, state2]
         predicate localStep(
@@ -4203,15 +4230,12 @@ module MakeImpl<LocationSig Location, InputSig<Location> Lang> {
       import CallContextSensitivity<CallContextSensitivityInput>
       import LocalCallContext
 
-      predicate localStep(
-        NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
-        Typ t, LocalCc lcc, string label
-      ) {
-        Stage3Param::localFlowBigStep(node1, state1, node2, state2, preservesValue, t, lcc, label) and
-        PrevStage::revFlow(node1, pragma[only_bind_into](state1), _) and
-        PrevStage::revFlow(node2, pragma[only_bind_into](state2), _)
+      private module BigStepInput implements PrevStage::LocalFlowBigStepInputSig {
+        predicate localStep = Stage3Param::localFlowBigStep/8;
       }
 
+      predicate localStep = PrevStage::LocalFlowBigStep<BigStepInput>::localFlowBigStepTc/8;
+
       bindingset[node, state, t0, ap]
       predicate filter(NodeEx node, FlowState state, Typ t0, Ap ap, Typ t) {
         strengthenType(node, t0, t) and
@@ -4409,46 +4433,10 @@ module MakeImpl<LocationSig Location, InputSig<Location> Lang> {
       import LocalCallContext
 
       private module BigStepInput implements PrevStage::LocalFlowBigStepInputSig {
-        private predicate smallStep = Stage3Param::BigStepInput::localStep/8;
-
-        private predicate localStepCand(
-          NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue
-        ) {
-          Stage5Param::localStep(node1, state1, _, _, _, _, _, _) and
-          smallStep(node1, state1, node2, state2, preservesValue, _, _, _)
-          or
-          exists(FlowState midState, NodeEx midNode |
-            localStepCand(node1, state1, midNode, midState, preservesValue) and
-            smallStep(midNode, midState, node2, state2, _, _, _, _) and
-            not (
-              Stage5Param::localStep(midNode, midState, _, _, _, _, _, _) and
-              Stage5Param::localStep(_, _, midNode, midState, _, _, _, _)
-            ) and
-            not midNode instanceof Stage5::FlowCheckNode
-          )
-        }
-
-        /**
-         * When calculating `localFlowBigStep` based on `Stage5Param::localStep`, which
-         * is already a big-step relation, we must be careful to avoid quadratic blowup.
-         *
-         * This is achieved by restricting `Stage5Param::localStep` to those node pairs
-         * reacheable via 1 or more `smallStep`s, where any intermediate node is not
-         * already part of `Stage5Param::localStep`.
-         */
-        pragma[nomagic]
-        predicate localStep(
-          NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
-          DataFlowType t, LocalCallContext lcc, string label
-        ) {
-          localStepCand(node1, state1, node2, state2, preservesValue) and
-          Stage5Param::localStep(node1, state1, node2, state2, preservesValue, t, lcc, label) and
-          PrevStage::revFlow(node1, pragma[only_bind_into](state1), _) and
-          PrevStage::revFlow(node2, pragma[only_bind_into](state2), _)
-        }
+        predicate localStep = Stage5Param::localStep/8;
       }
 
-      predicate localStep = PrevStage::LocalFlowBigStep<BigStepInput>::localFlowBigStep/8;
+      predicate localStep = PrevStage::LocalFlowBigStep<BigStepInput>::localFlowBigStepTc/8;
 
       bindingset[node, state, t0, ap]
       predicate filter(NodeEx node, FlowState state, Typ t0, Ap ap, Typ t) {
