Merge pull request #20092 from aschackmull/java/joinorder2

aschackmull · web-flow · commit d5cdfc673e24 · 2025-07-21T11:27:14.000+02:00
Java: Improve more join-orders
diff --git a/java/ql/src/Likely Bugs/Collections/ArrayIndexOutOfBounds.ql b/java/ql/src/Likely Bugs/Collections/ArrayIndexOutOfBounds.ql
@@ -18,6 +18,15 @@ import semmle.code.java.dataflow.SSA
 import semmle.code.java.dataflow.RangeUtils
 import semmle.code.java.dataflow.RangeAnalysis
 
+pragma[nomagic]
+predicate ssaArrayLengthBound(SsaVariable arr, Bound b) {
+  exists(FieldAccess len |
+    len.getField() instanceof ArrayLengthField and
+    len.getQualifier() = arr.getAUse() and
+    b.getExpr() = len
+  )
+}
+
 /**
  * Holds if the index expression of `aa` is less than or equal to the array length plus `k`.
  */
@@ -27,12 +36,8 @@ predicate boundedArrayAccess(ArrayAccess aa, int k) {
     aa.getArray() = arr.getAUse() and
     bounded(index, b, delta, true, _)
   |
-    exists(FieldAccess len |
-      len.getField() instanceof ArrayLengthField and
-      len.getQualifier() = arr.getAUse() and
-      b.getExpr() = len and
-      k = delta
-    )
+    ssaArrayLengthBound(arr, b) and
+    k = delta
     or
     exists(ArrayCreationExpr arraycreation | arraycreation = getArrayDef(arr) |
       k = delta and
diff --git a/java/ql/src/Likely Bugs/Statements/PartiallyMaskedCatch.ql b/java/ql/src/Likely Bugs/Statements/PartiallyMaskedCatch.ql
@@ -15,14 +15,34 @@
 
 import java
 
+pragma[nomagic]
+predicate mayThrow(Stmt s, RefType rt) {
+  s.(ThrowStmt).getExpr().getType() = rt
+  or
+  exists(Call call |
+    call.getEnclosingStmt() = s and
+    call.getCallee().getAnException().getType() = rt
+  )
+}
+
+pragma[nomagic]
+predicate caughtBy(TryStmt try, Stmt s, RefType rt) {
+  mayThrow(s, rt) and
+  s.getEnclosingStmt+() = try.getBlock() and
+  caughtType(try, _).hasSubtype*(rt)
+}
+
+pragma[nomagic]
+predicate nestedTry(TryStmt outer, TryStmt inner) { inner.getEnclosingStmt+() = outer.getBlock() }
+
 /**
  * Exceptions of type `rt` thrown from within statement `s` are caught by an inner try block
  * and are therefore not propagated to the outer try block `t`.
  */
 private predicate caughtInside(TryStmt t, Stmt s, RefType rt) {
-  exists(TryStmt innerTry | innerTry.getEnclosingStmt+() = t.getBlock() |
-    s.getEnclosingStmt+() = innerTry.getBlock() and
-    caughtType(innerTry, _).hasSubtype*(rt)
+  exists(TryStmt innerTry |
+    nestedTry(t, innerTry) and
+    caughtBy(innerTry, s, rt)
   )
 }
 
