Further optimisation

smowton · smowton · commit 36a031833f97 · 2024-10-08T19:23:24.000+01:00
diff --git a/go/ql/lib/semmle/go/Expr.qll b/go/ql/lib/semmle/go/Expr.qll
@@ -2098,6 +2098,7 @@ class LabelName extends Name {
  * may be identified as such, so not all type expressions can be determined by
  * a bottom-up analysis. In such cases, `isTypeExprTopDown` below is useful.
  */
+pragma[nomagic]
 private predicate isTypeExprBottomUp(Expr e) {
   e instanceof TypeName
   or
diff --git a/go/ql/lib/semmle/go/controlflow/IR.qll b/go/ql/lib/semmle/go/controlflow/IR.qll
@@ -501,10 +501,11 @@ module IR {
     override StructLit lit;
 
     /** Gets the name of the initialized field. */
+    pragma[nomagic]
     string getFieldName() {
       if elt instanceof KeyValueExpr
       then result = elt.(KeyValueExpr).getKey().(Ident).getName()
-      else lit.getStructType().hasOwnField(i, result, _, _)
+      else pragma[only_bind_out](lit.getStructType()).hasOwnField(i, result, _, _)
     }
 
     /** Gets the initialized field. */
diff --git a/go/ql/lib/semmle/go/dataflow/internal/TaintTrackingUtil.qll b/go/ql/lib/semmle/go/dataflow/internal/TaintTrackingUtil.qll
@@ -190,6 +190,7 @@ predicate sliceStep(DataFlow::Node pred, DataFlow::Node succ) {
  */
 abstract class FunctionModel extends Function {
   /** Holds if taint propagates through this function from `input` to `output`. */
+  pragma[nomagic]
   abstract predicate hasTaintFlow(FunctionInput input, FunctionOutput output);
 
   /** Gets an input node for this model for the call `c`. */
diff --git a/go/ql/lib/semmle/go/security/OpenUrlRedirectCustomizations.qll b/go/ql/lib/semmle/go/security/OpenUrlRedirectCustomizations.qll
@@ -75,6 +75,15 @@ module OpenUrlRedirect {
     }
   }
 
+  bindingset[var, w]
+  pragma[inline_late]
+  private predicate useIsDominated(
+    SsaWithFields var, Write w, DataFlow::ReadNode sanitizedRead
+  ) {
+    w.dominatesNode(sanitizedRead.asInstruction()) and
+    sanitizedRead = var.getAUse()
+  }
+
   /**
    * An access to a variable that is preceded by an assignment to its `Path` field.
    *
@@ -83,13 +92,10 @@ module OpenUrlRedirect {
    */
   class PathAssignmentBarrier extends Barrier, Read {
     PathAssignmentBarrier() {
-      exists(Write w, Field f, SsaWithFields var |
-        f.getName() = "Path" and
+      exists(Write w, SsaWithFields var |
         hasHostnameSanitizingSubstring(w.getRhs()) and
-        this = var.getAUse()
-      |
-        w.writesField(var.getAUse(), f, _) and
-        w.dominatesNode(insn)
+        w.writesField(var.getAUse(), any(Field f | f.getName() = "Path"), _) and
+        useIsDominated(var, w, this)
       )
     }
   }

Original file line number	Diff line number	Diff line change
`@@ -75,6 +75,15 @@ module OpenUrlRedirect {`
`75`	`75`	`}`
`76`	`76`	`}`
`77`	`77`
	`78`	`+ bindingset[var, w]`
	`79`	`+ pragma[inline_late]`
	`80`	`+ private predicate useIsDominated(`
	`81`	`+ SsaWithFields var, Write w, DataFlow::ReadNode sanitizedRead`
	`82`	`+ ) {`
	`83`	`+ w.dominatesNode(sanitizedRead.asInstruction()) and`
	`84`	`+ sanitizedRead = var.getAUse()`
	`85`	`+ }`
	`86`	`+`
`78`	`87`	`/**`
`79`	`88`	* An access to a variable that is preceded by an assignment to its `Path` field.
`80`	`89`	`*`
`@@ -83,13 +92,10 @@ module OpenUrlRedirect {`
`83`	`92`	`*/`
`84`	`93`	`class PathAssignmentBarrier extends Barrier, Read {`
`85`	`94`	`PathAssignmentBarrier() {`
`86`		`- exists(Write w, Field f, SsaWithFields var \|`
`87`		`- f.getName() = "Path" and`
	`95`	`+ exists(Write w, SsaWithFields var \|`
`88`	`96`	`hasHostnameSanitizingSubstring(w.getRhs()) and`
`89`		`- this = var.getAUse()`
`90`		`- \|`
`91`		`- w.writesField(var.getAUse(), f, _) and`
`92`		`- w.dominatesNode(insn)`
	`97`	`+ w.writesField(var.getAUse(), any(Field f \| f.getName() = "Path"), _) and`
	`98`	`+ useIsDominated(var, w, this)`
`93`	`99`	`)`
`94`	`100`	`}`
`95`	`101`	`}`