Merge pull request #15654 from aschackmull/java/static-init-vec-query-perf

Java: Switch helper flow from Global to SimpleGlobal in StaticInitializationVectorQuery.

Author: aschackmull

java/ql/lib/semmle/code/java/security/StaticInitializationVectorQuery.qll

@@ -80,26 +80,29 @@ private class ArrayUpdate extends Expr {
   Expr getArray() { result = array }
 }
 
-/**
- * A config that tracks dataflow from creating an array to an operation that updates it.
- */
-private module ArrayUpdateConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source.asExpr() instanceof StaticByteArrayCreation }
-
-  predicate isSink(DataFlow::Node sink) { sink.asExpr() = any(ArrayUpdate upd).getArray() }
+private predicate arrayUpdateSrc(DataFlow::Node source) {
+  source.asExpr() instanceof StaticByteArrayCreation
+}
 
-  predicate isBarrierOut(DataFlow::Node node) { isSink(node) }
+private predicate arrayUpdateSink(DataFlow::Node sink) {
+  sink.asExpr() = any(ArrayUpdate upd).getArray()
 }
 
-private module ArrayUpdateFlow = DataFlow::Global<ArrayUpdateConfig>;
+private module ArrayUpdateFlowFwd = DataFlow::SimpleGlobal<arrayUpdateSrc/1>;
+
+private module ArrayUpdateFlow = ArrayUpdateFlowFwd::Graph<arrayUpdateSink/1>;
+
+private predicate arrayReachesUpdate(StaticByteArrayCreation array) {
+  exists(ArrayUpdateFlow::PathNode src | src.isSource() and src.getNode().asExpr() = array)
+}
 
 /**
  * A source that defines an array that doesn't get updated.
  */
 private class StaticInitializationVectorSource extends DataFlow::Node {
   StaticInitializationVectorSource() {
     exists(StaticByteArrayCreation array | array = this.asExpr() |
-      not ArrayUpdateFlow::flow(DataFlow::exprNode(array), _) and
+      not arrayReachesUpdate(array) and
       // Reduce FPs from utility methods that return an empty array in an exceptional case
       not exists(ReturnStmt ret |
         array.getADimension().(CompileTimeConstantExpr).getIntValue() = 0 and

shared/typetracking/codeql/typetracking/internal/TypeTrackingImpl.qll

@@ -785,24 +785,26 @@ module TypeTracking<TypeTrackingInput I> {
         )
       }
 
+      private Node getNodeMid(PathNodeFwd n) { n = TPathNodeMid(result, _) }
+
+      private Node getNodeSink(PathNodeFwd n) { n = TPathNodeSink(result) }
+
       private predicate edgeCand(PathNodeFwd n1, PathNodeFwd n2) {
         exists(PathNodeFwd tgt |
-          edgeCand(n1.getNode(), n1.getTypeTracker(), tgt.getNode(), tgt.getTypeTracker())
+          edgeCand(getNodeMid(n1), n1.getTypeTracker(), getNodeMid(tgt), tgt.getTypeTracker())
         |
           n2 = tgt
           or
-          n2 = TPathNodeSink(tgt.getNode()) and tgt.getTypeTracker().end()
+          n2 = TPathNodeSink(getNodeMid(tgt)) and tgt.getTypeTracker().end()
         )
         or
         n1.getTypeTracker().end() and
-        flowsTo(n1.getNode(), n2.getNode()) and
-        n1.getNode() != n2.getNode() and
-        n2 instanceof TPathNodeSink
+        flowsTo(getNodeMid(n1), getNodeSink(n2)) and
+        getNodeMid(n1) != getNodeSink(n2)
         or
-        sourceSimpleLocalSmallSteps(n1.getNode(), n2.getNode()) and
-        n1.getNode() != n2.getNode() and
-        n1.isSource() and
-        n2.isSink()
+        sourceSimpleLocalSmallSteps(n1.getNode(), getNodeSink(n2)) and
+        n1.getNode() != getNodeSink(n2) and
+        n1.isSource()
       }
 
       private predicate reachRev(PathNodeFwd n) {