C++: Solve tuple count bulge that may affect performance.

geoffw0 · geoffw0 · commit fdf4e83c2572 · 2020-05-19T16:59:37.000+01:00
diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/DefaultTaintTracking.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/DefaultTaintTracking.qll
@@ -171,13 +171,18 @@ private predicate hasUpperBoundsCheck(Variable var) {
   )
 }
 
+private predicate nodeIsBarrierEqualityCandidate(DataFlow::Node node, Operand access, Variable checkedVar) {
+  readsVariable(node.asInstruction(), checkedVar) and
+  any(IRGuardCondition guard).ensuresEq(access, _, _, node.asInstruction().getBlock(), true)
+}
+
 private predicate nodeIsBarrier(DataFlow::Node node) {
   exists(Variable checkedVar |
     readsVariable(node.asInstruction(), checkedVar) and
     hasUpperBoundsCheck(checkedVar)
   )
   or
-  exists(Variable checkedVar, IRGuardCondition guard, Operand access, Operand other |
+  exists(Variable checkedVar, Operand access |
     /*
      * This node is guarded by a condition that forces the accessed variable
      * to equal something else.  For example:
@@ -189,9 +194,8 @@ private predicate nodeIsBarrier(DataFlow::Node node) {
      * ```
      */
 
-    readsVariable(node.asInstruction(), checkedVar) and
-    readsVariable(access.getDef(), checkedVar) and
-    guard.ensuresEq(access, other, _, node.asInstruction().getBlock(), true)
+    nodeIsBarrierEqualityCandidate(node, access, checkedVar) and
+    readsVariable(access.getDef(), checkedVar)
   )
 }
 

Original file line number	Diff line number	Diff line change
`@@ -171,13 +171,18 @@ private predicate hasUpperBoundsCheck(Variable var) {`
`171`	`171`	`)`
`172`	`172`	`}`
`173`	`173`
	`174`	`+private predicate nodeIsBarrierEqualityCandidate(DataFlow::Node node, Operand access, Variable checkedVar) {`
	`175`	`+ readsVariable(node.asInstruction(), checkedVar) and`
	`176`	`+ any(IRGuardCondition guard).ensuresEq(access, _, _, node.asInstruction().getBlock(), true)`
	`177`	`+}`
	`178`	`+`
`174`	`179`	`private predicate nodeIsBarrier(DataFlow::Node node) {`
`175`	`180`	`exists(Variable checkedVar \|`
`176`	`181`	`readsVariable(node.asInstruction(), checkedVar) and`
`177`	`182`	`hasUpperBoundsCheck(checkedVar)`
`178`	`183`	`)`
`179`	`184`	`or`
`180`		`- exists(Variable checkedVar, IRGuardCondition guard, Operand access, Operand other \|`
	`185`	`+ exists(Variable checkedVar, Operand access \|`
`181`	`186`	`/*`
`182`	`187`	`* This node is guarded by a condition that forces the accessed variable`
`183`	`188`	`* to equal something else. For example:`
`@@ -189,9 +194,8 @@ private predicate nodeIsBarrier(DataFlow::Node node) {`
`189`	`194`	* ```
`190`	`195`	`*/`
`191`	`196`
`192`		`- readsVariable(node.asInstruction(), checkedVar) and`
`193`		`- readsVariable(access.getDef(), checkedVar) and`
`194`		`- guard.ensuresEq(access, other, _, node.asInstruction().getBlock(), true)`
	`197`	`+ nodeIsBarrierEqualityCandidate(node, access, checkedVar) and`
	`198`	`+ readsVariable(access.getDef(), checkedVar)`
`195`	`199`	`)`
`196`	`200`	`}`
`197`	`201`