cache more predicates

erik-krogh · erik-krogh · commit f39872e64948 · 2021-11-22T09:03:36.000+01:00
diff --git a/javascript/ql/lib/semmle/javascript/Constants.qll b/javascript/ql/lib/semmle/javascript/Constants.qll
@@ -3,10 +3,12 @@
  */
 
 import javascript
+private import semmle.javascript.internal.CachedStages
 
 /**
  * An expression that evaluates to a constant primitive value.
  */
+cached
 abstract class ConstantExpr extends Expr { }
 
 /**
@@ -16,15 +18,19 @@ module SyntacticConstants {
   /**
    * An expression that evaluates to a constant value according to a bottom-up syntactic analysis.
    */
+  cached
   abstract class SyntacticConstant extends ConstantExpr { }
 
   /**
    * A literal primitive expression.
    *
    * Note that `undefined`, `NaN` and `Infinity` are global variables, and are not covered by this class.
    */
+  cached
   class PrimitiveLiteralConstant extends SyntacticConstant {
+    cached
     PrimitiveLiteralConstant() {
+      Stages::Ast::ref() and
       this instanceof NumberLiteral
       or
       this instanceof StringLiteral
@@ -43,19 +49,27 @@ module SyntacticConstants {
   /**
    * A literal null expression.
    */
-  class NullConstant extends SyntacticConstant, NullLiteral { }
+  cached
+  class NullConstant extends SyntacticConstant, NullLiteral {
+    cached
+    NullConstant() { Stages::Ast::ref() and this = this }
+  }
 
   /**
    * A unary operation on a syntactic constant.
    */
+  cached
   class UnaryConstant extends SyntacticConstant, UnaryExpr {
+    cached
     UnaryConstant() { getOperand() instanceof SyntacticConstant }
   }
 
   /**
    * A binary operation on syntactic constants.
    */
+  cached
   class BinaryConstant extends SyntacticConstant, BinaryExpr {
+    cached
     BinaryConstant() {
       getLeftOperand() instanceof SyntacticConstant and
       getRightOperand() instanceof SyntacticConstant
@@ -65,7 +79,9 @@ module SyntacticConstants {
   /**
    * A conditional expression on syntactic constants.
    */
+  cached
   class ConditionalConstant extends SyntacticConstant, ConditionalExpr {
+    cached
     ConditionalConstant() {
       getCondition() instanceof SyntacticConstant and
       getConsequent() instanceof SyntacticConstant and
@@ -76,7 +92,9 @@ module SyntacticConstants {
   /**
    * A use of the global variable `undefined` or `void e`.
    */
+  cached
   class UndefinedConstant extends SyntacticConstant {
+    cached
     UndefinedConstant() {
       this.(GlobalVarAccess).getName() = "undefined" or
       this instanceof VoidExpr
@@ -86,21 +104,27 @@ module SyntacticConstants {
   /**
    * A use of the global variable `NaN`.
    */
+  cached
   class NaNConstant extends SyntacticConstant {
+    cached
     NaNConstant() { this.(GlobalVarAccess).getName() = "NaN" }
   }
 
   /**
    * A use of the global variable `Infinity`.
    */
+  cached
   class InfinityConstant extends SyntacticConstant {
+    cached
     InfinityConstant() { this.(GlobalVarAccess).getName() = "Infinity" }
   }
 
   /**
    * An expression that wraps the syntactic constant it evaluates to.
    */
+  cached
   class WrappedConstant extends SyntacticConstant {
+    cached
     WrappedConstant() { getUnderlyingValue() instanceof SyntacticConstant }
   }
 
@@ -123,6 +147,8 @@ module SyntacticConstants {
 /**
  * An expression that evaluates to a constant string.
  */
+cached
 class ConstantString extends ConstantExpr {
+  cached
   ConstantString() { exists(getStringValue()) }
 }
diff --git a/javascript/ql/lib/semmle/javascript/Expr.qll b/javascript/ql/lib/semmle/javascript/Expr.qll
@@ -89,7 +89,8 @@ class ExprOrType extends @expr_or_type, Documentable {
    *
    * Also see `getUnderlyingReference` and `stripParens`.
    */
-  Expr getUnderlyingValue() { result = this }
+  cached
+  Expr getUnderlyingValue() { Stages::Ast::ref() and result = this }
 }
 
 /**
@@ -274,7 +275,11 @@ private DataFlow::Node getCatchParameterFromStmt(Stmt stmt) {
  */
 class Identifier extends @identifier, ExprOrType {
   /** Gets the name of this identifier. */
-  string getName() { literals(result, _, this) }
+  cached
+  string getName() {
+    Stages::Ast::ref() and
+    literals(result, _, this)
+  }
 
   override string getAPrimaryQlClass() { result = "Identifier" }
 }
diff --git a/javascript/ql/lib/semmle/javascript/MembershipCandidates.qll b/javascript/ql/lib/semmle/javascript/MembershipCandidates.qll
@@ -165,6 +165,7 @@ module MembershipCandidate {
     EnumerationRegExp enumeration;
     boolean polarity;
 
+    pragma[nomagic]
     RegExpEnumerationCandidate() {
       exists(DataFlow::MethodCallNode mcn, DataFlow::Node base, string m, DataFlow::Node firstArg |
         (
diff --git a/javascript/ql/lib/semmle/javascript/dataflow/TaintTracking.qll b/javascript/ql/lib/semmle/javascript/dataflow/TaintTracking.qll
@@ -160,10 +160,12 @@ module TaintTracking {
    * of the standard library. Override `Configuration::isSanitizerGuard`
    * for analysis-specific taint sanitizer guards.
    */
+  cached
   abstract class AdditionalSanitizerGuardNode extends SanitizerGuardNode {
     /**
      * Holds if this guard applies to the flow in `cfg`.
      */
+    cached
     abstract predicate appliesTo(Configuration cfg);
   }
 
@@ -1127,7 +1129,7 @@ module TaintTracking {
         idx = astNode.getAnOperand() and
         idx.getPropertyNameExpr() = x and
         // and the other one is guaranteed to be `undefined`
-        forex(InferredType tp | tp = undef.getAType() | tp = TTUndefined())
+        unique(InferredType tp | tp = pragma[only_bind_into](undef.getAType())) = TTUndefined()
       )
     }
 
diff --git a/javascript/ql/lib/semmle/javascript/internal/CachedStages.qll b/javascript/ql/lib/semmle/javascript/internal/CachedStages.qll
@@ -69,6 +69,14 @@ module Stages {
       exists(any(Expr e).getStringValue())
       or
       any(ASTNode node).isAmbient()
+      or
+      exists(any(Identifier e).getName())
+      or
+      exists(any(ExprOrType e).getUnderlyingValue())
+      or
+      exists(ConstantExpr e)
+      or
+      exists(SyntacticConstants::NullConstant n)
     }
   }
 
@@ -299,6 +307,20 @@ module Stages {
       exists(Exports::getALibraryInputParameter())
       or
       any(RegExpTerm t).isUsedAsRegExp()
+      or
+      any(TaintTracking::AdditionalSanitizerGuardNode e).appliesTo(_)
+    }
+
+    cached
+    class DummySanitizer extends TaintTracking::AdditionalSanitizerGuardNode {
+      cached
+      DummySanitizer() { none() }
+
+      cached
+      override predicate appliesTo(TaintTracking::Configuration cfg) { none() }
+
+      cached
+      override predicate sanitizes(boolean outcome, Expr e) { none() }
     }
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -165,6 +165,7 @@ module MembershipCandidate {`
`165`	`165`	`EnumerationRegExp enumeration;`
`166`	`166`	`boolean polarity;`
`167`	`167`
	`168`	`+ pragma[nomagic]`
`168`	`169`	`RegExpEnumerationCandidate() {`
`169`	`170`	`exists(DataFlow::MethodCallNode mcn, DataFlow::Node base, string m, DataFlow::Node firstArg \|`
`170`	`171`	`(`
Original file line number	Diff line number	Diff line change
`@@ -160,10 +160,12 @@ module TaintTracking {`
`160`	`160`	* of the standard library. Override `Configuration::isSanitizerGuard`
`161`	`161`	`* for analysis-specific taint sanitizer guards.`
`162`	`162`	`*/`
	`163`	`+ cached`
`163`	`164`	`abstract class AdditionalSanitizerGuardNode extends SanitizerGuardNode {`
`164`	`165`	`/**`
`165`	`166`	* Holds if this guard applies to the flow in `cfg`.
`166`	`167`	`*/`
	`168`	`+ cached`
`167`	`169`	`abstract predicate appliesTo(Configuration cfg);`
`168`	`170`	`}`
`169`	`171`
`@@ -1127,7 +1129,7 @@ module TaintTracking {`
`1127`	`1129`	`idx = astNode.getAnOperand() and`
`1128`	`1130`	`idx.getPropertyNameExpr() = x and`
`1129`	`1131`	// and the other one is guaranteed to be `undefined`
`1130`		`- forex(InferredType tp \| tp = undef.getAType() \| tp = TTUndefined())`
	`1132`	`+ unique(InferredType tp \| tp = pragma[only_bind_into](undef.getAType())) = TTUndefined()`
`1131`	`1133`	`)`
`1132`	`1134`	`}`
`1133`	`1135`