Type tracking: Split up levelStep into levelStepNoCall and levelStepCall

hvitved · hvitved · commit 2e8f46ddd991 · 2022-10-11T13:58:46.000+02:00
To reduce non-linear recursion during call graph construction.
diff --git a/ruby/ql/lib/codeql/ruby/typetracking/TypeTracker.qll b/ruby/ql/lib/codeql/ruby/typetracking/TypeTracker.qll
@@ -186,7 +186,7 @@ private module Cached {
     jumpStep(nodeFrom, nodeTo) and
     summary = JumpStep()
     or
-    levelStep(nodeFrom, nodeTo) and
+    levelStepNoCall(nodeFrom, nodeTo) and
     summary = LevelStep()
     or
     exists(TypeTrackerContent content |
@@ -216,6 +216,9 @@ private module Cached {
     or
     returnStep(nodeFrom, nodeTo) and
     summary = ReturnStep()
+    or
+    levelStepCall(nodeFrom, nodeTo) and
+    summary = LevelStep()
   }
 }
 
diff --git a/ruby/ql/lib/codeql/ruby/typetracking/TypeTrackerSpecific.qll b/ruby/ql/lib/codeql/ruby/typetracking/TypeTrackerSpecific.qll
@@ -76,20 +76,28 @@ predicate simpleLocalFlowStep = DataFlowPrivate::localFlowStepTypeTracker/2;
  */
 predicate jumpStep = DataFlowPrivate::jumpStep/2;
 
-/**
- * Holds if there is a summarized local flow step from `nodeFrom` to `nodeTo`,
- * because there is direct flow from a parameter to a return. That is, summarized
- * steps are not applied recursively.
- */
+/** Holds if there is direct flow from `param` to a return. */
 pragma[nomagic]
-private predicate summarizedLocalStep(Node nodeFrom, Node nodeTo) {
-  exists(DataFlowPublic::ParameterNode param, DataFlowPrivate::ReturningNode returnNode |
+private predicate flowThrough(DataFlowPublic::ParameterNode param) {
+  exists(DataFlowPrivate::ReturningNode returnNode |
     DataFlowPrivate::LocalFlow::getParameterDefNode(param.getParameter())
         .(TypeTrackingNode)
-        .flowsTo(returnNode) and
+        .flowsTo(returnNode)
+  )
+}
+
+/** Holds if there is a level step from `nodeFrom` to `nodeTo`, which may depend on the call graph. */
+pragma[nomagic]
+predicate levelStepCall(Node nodeFrom, Node nodeTo) {
+  exists(DataFlowPublic::ParameterNode param |
+    flowThrough(param) and
     callStep(nodeTo.asExpr(), nodeFrom, param)
   )
-  or
+}
+
+/** Holds if there is a level step from `nodeFrom` to `nodeTo`, which does not depend on the call graph. */
+pragma[nomagic]
+predicate levelStepNoCall(Node nodeFrom, Node nodeTo) {
   exists(
     SummarizedCallable callable, DataFlowPublic::CallNode call, SummaryComponentStack input,
     SummaryComponentStack output
@@ -99,11 +107,6 @@ private predicate summarizedLocalStep(Node nodeFrom, Node nodeTo) {
     nodeFrom = evaluateSummaryComponentStackLocal(callable, call, input) and
     nodeTo = evaluateSummaryComponentStackLocal(callable, call, output)
   )
-}
-
-/** Holds if there is a level step from `nodeFrom` to `nodeTo`. */
-predicate levelStep(Node nodeFrom, Node nodeTo) {
-  summarizedLocalStep(nodeFrom, nodeTo)
   or
   localFieldStep(nodeFrom, nodeTo)
 }
