Improve join orders for top 5 perf regressions in QA

Author: smowton

go/ql/lib/semmle/go/frameworks/Afero.qll

@@ -65,15 +65,15 @@ module Afero {
       exists(Function f |
         f.hasQualifiedName(aferoPackage(),
           ["WriteReader", "SafeWriteReader", "WriteFile", "ReadFile", "ReadDir"]) and
-        this = f.getACall() and
+        this = pragma[only_bind_out](f.getACall()) and
         pathArg = 1 and
         not aferoSanitizer(this.getArgument(0))
       )
       or
       exists(Method m |
         m.hasQualifiedName(aferoPackage(), "Afero",
           ["WriteReader", "SafeWriteReader", "WriteFile", "ReadFile", "ReadDir"]) and
-        this = m.getACall() and
+        this = pragma[only_bind_out](m.getACall()) and
         pathArg = 0 and
         not aferoSanitizer(this.getReceiver())
       )

go/ql/lib/semmle/go/frameworks/GoMicro.qll

@@ -98,6 +98,12 @@ module GoMicro {
     }
   }
 
+  bindingset[m]
+  pragma[inline_late]
+  private predicate implementsServiceType(Method m) {
+    m.implements(any(ServiceInterfaceType i).getNamedType().getMethod(_))
+  }
+
   /**
    * A service handler.
    */
@@ -106,7 +112,7 @@ module GoMicro {
       exists(DataFlow::CallNode call |
         call.getTarget() instanceof ServiceRegisterHandler and
         this = call.getArgument(1).getType().getMethod(_) and
-        this.implements(any(ServiceInterfaceType i).getNamedType().getMethod(_))
+        implementsServiceType(this)
       )
     }
   }

go/ql/lib/semmle/go/frameworks/Twirp.qll

@@ -118,13 +118,19 @@ module Twirp {
     override string getKind() { result = "URL" }
   }
 
+  bindingset[m]
+  pragma[inline_late]
+  private predicate implementsServiceType(Method m) {
+    m.implements(any(ServiceInterfaceType i).getNamedType().getMethod(_))
+  }
+
   /** A service handler. */
   class ServiceHandler extends Method {
     ServiceHandler() {
       exists(DataFlow::CallNode call |
         call.getTarget() instanceof ServerConstructor and
         this = call.getArgument(0).getType().getMethod(_) and
-        this.implements(any(ServiceInterfaceType i).getNamedType().getMethod(_))
+        implementsServiceType(this)
       )
     }
   }

go/ql/src/Security/CWE-798/HardcodedCredentials.ql

@@ -17,13 +17,17 @@ import go
 import semmle.go.security.HardcodedCredentials
 import semmle.go.security.SensitiveActions
 
+bindingset[write]
+pragma[inline_late]
+private predicate isWriteRhs(Write write, DataFlow::Node rhs) { write.getRhs() = rhs }
+
 /**
  * Holds if `sink` is used in a context that suggests it may hold sensitive data of
  * the given `type`.
  */
 predicate isSensitive(DataFlow::Node sink, SensitiveExpr::Classification type) {
   exists(Write write, string name |
-    write.getRhs() = sink and
+    isWriteRhs(write, sink) and
     name = write.getLhs().getName() and
     // allow obvious test password variables
     not name.regexpMatch(HeuristicNames::notSensitive())