C++: reachableRecursive refactor for performance

jbj · jbj · commit 5296d7b699e1 · 2019-05-15T13:13:42.000+02:00
The `reachable` predicate is large and slow to compute. It's part of a
mutual recursion that's non-linear, meaning it has a recursive call on
both sides of an `and`.

This change removes a part of the base case that has no effect on
recursive cases. The removed part is added back after the recursion has
finished. That change itself was only a few lines long, but it broke the
caching of the `aborting` and `abortingFunction` predicates in
`ConstantExprs.qll`. These predicates could previously be recomputed
cheaply from cached information, but that's no longer the case because
they now refer (indirectly) to the new `reachableRecursive` predicate,
which is not cached, instead of the `reachable` predicate. To fix that,
I moved all predicates related to CFG pruning into a single `cached
module`, which required most of the predicates to be moved from
`ControlFlowGraph.qll` to `ConstantExprs.qll`.

Before, on Wireshark:

    ControlFlowGraph::Cached::reachable#f .......... 20.8s (executed 9800 times)
    ConstantExprs::successors_adapted#ff ........... 4.2s (executed 615 times)
    ConstantExprs::potentiallyReturningFunction#f .. 3.9s (executed 9799 times)
    ConstantExprs::possiblePredecessor#f ........... 2.9s (executed 788 times)

After, on Wireshark:

    ConstantExprs::reachableRecursive#f ............ 13.2s (executed 9800 times)
    ConstantExprs::successors_adapted#ff ........... 4.2s (executed 615 times)
    ConstantExprs::potentiallyReturningFunction#f .. 4.3s (executed 9799 times)
    ConstantExprs::possiblePredecessor#f ........... 2.6s (executed 788 times)

I've verified that this change doesn't change what's computed by
checking that the output of the following query is unchanged:

    import cpp
    import semmle.code.cpp.controlflow.internal.ConstantExprs

    select
      strictcount(ControlFlowNode n | reachable(n)) as reachable,
      strictcount(ControlFlowNode n1, ControlFlowNode n2 | n2 = n1.getASuccessor()) as edges,
      strictcount(FunctionCall c | aborting(c)) as abortingCall,
      strictcount(Function f | abortingFunction(f)) as abortingFunction
diff --git a/cpp/ql/src/semmle/code/cpp/controlflow/ControlFlowGraph.qll b/cpp/ql/src/semmle/code/cpp/controlflow/ControlFlowGraph.qll
@@ -75,85 +75,7 @@ class ControlFlowNode extends Locatable, ControlFlowNodeBase {
   }
 }
 
-import Cached
-private cached module Cached {
-  // The base case of `reachable` is factored out for performance. If it's
-  // written in-line in `reachable`, the compiler inserts a `n instanceof
-  // ControlFlowNode` check because the `not ... and not ...` case doesn't
-  // otherwise bind `n`. The problem is that this check is inserted at the
-  // outermost level of this predicate, so it covers all cases including the
-  // recursive case. The optimizer doesn't eliminate the check even though it's
-  // redundant, and having the check leads to needless extra computation and a
-  // risk of bad join orders.
-  private predicate reachableBaseCase(ControlFlowNode n) {
-    exists(Function f | f.getEntryPoint() = n)
-    or
-    // Okay to use successors_extended directly here
-    (not successors_extended(_,n) and not successors_extended(n,_))
-    or
-    n instanceof Handler
-  }
-
-  /**
-   * Holds if the control-flow node `n` is reachable, meaning that either
-   * it is an entry point, or there exists a path in the control-flow
-   * graph of its function that connects an entry point to it.
-   * Compile-time constant conditions are taken into account, so that
-   * the call to `f` is not reachable in `if (0) f();` even if the
-   * `if` statement as a whole is reachable.
-   */
-  cached
-  predicate reachable(ControlFlowNode n)
-  {
-    reachableBaseCase(n)
-    or
-    reachable(n.getAPredecessor())
-  }
-
-  /** Holds if `condition` always evaluates to a nonzero value. */
-  cached
-  predicate conditionAlwaysTrue(Expr condition) {
-    conditionAlways(condition, true)
-  }
-
-  /** Holds if `condition` always evaluates to zero. */
-  cached
-  predicate conditionAlwaysFalse(Expr condition) {
-    conditionAlways(condition, false)
-    or
-    // If a loop condition evaluates to false upon entry, it will always
-    // be false
-    loopConditionAlwaysUponEntry(_, condition, false)
-  }
-
-  /**
-   * The condition `condition` for the loop `loop` is provably `true` upon entry.
-   * That is, at least one iteration of the loop is guaranteed.
-   */
-  cached
-  predicate loopConditionAlwaysTrueUponEntry(ControlFlowNode loop, Expr condition) {
-    loopConditionAlwaysUponEntry(loop, condition, true)
-  }
-}
-
-private predicate conditionAlways(Expr condition, boolean b) {
-  exists(ConditionEvaluator x, int val |
-    val = x.getValue(condition) |
-    val != 0 and b = true
-    or
-    val = 0 and b = false
-  )
-}
-
-private predicate loopConditionAlwaysUponEntry(ControlFlowNode loop, Expr condition, boolean b) {
-  exists(LoopEntryConditionEvaluator x, int val |
-    x.isLoopEntry(condition, loop) and
-    val = x.getValue(condition) |
-    val != 0 and b = true
-    or
-    val = 0 and b = false
-  )
-}
+import ControlFlowGraphPublic
 
 /**
  * An element that is convertible to `ControlFlowNode`. This class is similar
diff --git a/cpp/ql/src/semmle/code/cpp/controlflow/internal/ConstantExprs.qll b/cpp/ql/src/semmle/code/cpp/controlflow/internal/ConstantExprs.qll
@@ -1,20 +1,107 @@
 import cpp
 private import PrimitiveBasicBlocks
 private class Node = ControlFlowNodeBase;
+import Cached
+
+cached
+private module Cached {
+  /** A call to a function known not to return. */
+  cached
+  predicate aborting(FunctionCall c) {
+    not potentiallyReturningFunctionCall(c)
+  }
+
+  /**
+   * Functions that are known not to return. This is normally because the function
+   * exits the program or longjmps to another location.
+   */
+  cached
+  predicate abortingFunction(Function f) {
+    not potentiallyReturningFunction(f)
+  }
+
+  cached
+  module ControlFlowGraphPublic {
+    /**
+     * Holds if the control-flow node `n` is reachable, meaning that either
+     * it is an entry point, or there exists a path in the control-flow
+     * graph of its function that connects an entry point to it.
+     * Compile-time constant conditions are taken into account, so that
+     * the call to `f` is not reachable in `if (0) f();` even if the
+     * `if` statement as a whole is reachable.
+     */
+    cached
+    predicate reachable(ControlFlowNode n)
+    {
+      // Okay to use successors_extended directly here
+      reachableRecursive(n)
+      or
+      (not successors_extended(_,n) and not successors_extended(n,_))
+    }
+
+    /** Holds if `condition` always evaluates to a nonzero value. */
+    cached
+    predicate conditionAlwaysTrue(Expr condition) {
+      conditionAlways(condition, true)
+    }
+
+    /** Holds if `condition` always evaluates to zero. */
+    cached
+    predicate conditionAlwaysFalse(Expr condition) {
+      conditionAlways(condition, false)
+      or
+      // If a loop condition evaluates to false upon entry, it will always
+      // be false
+      loopConditionAlwaysUponEntry(_, condition, false)
+    }
+
+    /**
+     * The condition `condition` for the loop `loop` is provably `true` upon entry.
+     * That is, at least one iteration of the loop is guaranteed.
+     */
+    cached
+    predicate loopConditionAlwaysTrueUponEntry(ControlFlowNode loop, Expr condition) {
+      loopConditionAlwaysUponEntry(loop, condition, true)
+    }
+  }
+
+  /**
+   * An adapted version of the `successors_extended` relation that excludes
+   * impossible control-flow edges - flow will never occur along these
+   * edges, so it is safe (and indeed sensible) to remove them.
+   */
+  cached predicate successors_adapted(Node pred, Node succ) {
+    successors_extended(pred, succ)
+    and possiblePredecessor(pred)
+    and not impossibleFalseEdge(pred, succ)
+    and not impossibleTrueEdge(pred, succ)
+    and not impossibleSwitchEdge(pred, succ)
+    and not impossibleDefaultSwitchEdge(pred, succ)
+    and not impossibleFunctionReturn(pred, succ)
+    and not getOptions().exprExits(pred)
+  }
+}
 
-/** A call to a function known not to return. */
-predicate aborting(FunctionCall c) {
-  not potentiallyReturningFunctionCall(c)
+private predicate conditionAlways(Expr condition, boolean b) {
+  exists(ConditionEvaluator x, int val |
+    val = x.getValue(condition) |
+    val != 0 and b = true
+    or
+    val = 0 and b = false
+  )
 }
 
-/**
- * Functions that are known not to return. This is normally because the function
- * exits the program or longjmps to another location.
- */
-predicate abortingFunction(Function f) {
-  not potentiallyReturningFunction(f)
+private predicate loopConditionAlwaysUponEntry(ControlFlowNode loop, Expr condition, boolean b) {
+  exists(LoopEntryConditionEvaluator x, int val |
+    x.isLoopEntry(condition, loop) and
+    val = x.getValue(condition) |
+    val != 0 and b = true
+    or
+    val = 0 and b = false
+  )
 }
 
+
 /**
  * This relation is the same as the `el instanceof Function`, only obfuscated
  * so the optimizer will not understand that any `FunctionCall.getTarget()`
@@ -61,7 +148,7 @@ private predicate potentiallyReturningFunction(Function f) {
     nonAnalyzableFunction(f)
     or
     // otherwise the exit-point of `f` must be reachable
-    reachable(f)
+    reachableRecursive(f)
   )
 }
 
@@ -202,19 +289,20 @@ private predicate possiblePredecessor(Node pred) {
 }
 
 /**
- * An adapted version of the `successors_extended` relation that excludes
- * impossible control-flow edges - flow will never occur along these
- * edges, so it is safe (and indeed sensible) to remove them.
+ * Holds if the control-flow node `n` is reachable, meaning that either
+ * it is an entry point, or there exists a path in the control-flow
+ * graph of its function that connects an entry point to it.
+ * Compile-time constant conditions are taken into account, so that
+ * the call to `f` is not reachable in `if (0) f();` even if the
+ * `if` statement as a whole is reachable.
  */
-cached predicate successors_adapted(Node pred, Node succ) {
-  successors_extended(pred, succ)
-  and possiblePredecessor(pred)
-  and not impossibleFalseEdge(pred, succ)
-  and not impossibleTrueEdge(pred, succ)
-  and not impossibleSwitchEdge(pred, succ)
-  and not impossibleDefaultSwitchEdge(pred, succ)
-  and not impossibleFunctionReturn(pred, succ)
-  and not getOptions().exprExits(pred)
+private predicate reachableRecursive(ControlFlowNode n)
+{
+  exists(Function f | f.getEntryPoint() = n)
+  or
+  n instanceof Handler
+  or
+  reachableRecursive(n.getAPredecessor())
 }
 
 private predicate compileTimeConstantInt(Expr e, int val) {
