-
| I am currently using CodeQL to detect some specific code patterns, and I suffer from large overhead for compiling QL code. import cpp
import semmle.code.cpp.models.interfaces.Allocation
import semmle.code.cpp.ir.dataflow.DataFlow
import MultToAlloc::PathGraph
import MultToAlloc::PathGraph
module MultToAllocConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node node) {
    // a multiplication of two non-constant expressions
    exists(MulExpr me |
      me = node.asExpr() and
      forall(Expr e | e = me.getAnOperand() | not exists(e.getValue()))
    )
  }
  predicate isSink(DataFlow::Node node) {
    // something that affects an allocation size
    node.asExpr() = any(HeuristicAllocationExpr ae).getSizeExpr().getAChild*()
  }
}
module MultToAlloc = DataFlow::Global<MultToAllocConfig>;
// pragma[noinline]
// language[monotonicAggregates]
predicate isTheTargetRelation(AssignExpr expr_2425435, LogicalAndExpr expr_2425477, AssignExpr expr_2425495, IfStmt stmt_2425438, Expr source, Expr sink) {
  postDominates(expr_2425477, source) and
  dominates(expr_2425477, expr_2425495) and
  postDominates(stmt_2425438, expr_2425435) and
  postDominates(stmt_2425438, source) and
  stmt_2425438.getCondition() = expr_2425477.getParentWithConversions*() and
  dominates(expr_2425435, expr_2425477) and
  dominates(expr_2425435, expr_2425495) and
  dominates(expr_2425435, stmt_2425438) and
  postDominates(expr_2425477, expr_2425435) and
  // The following lines cause extremely slow compilation
  // ================ The 4 lines =======================
  expr_2425435.getLValue().(VariableAccess).getTarget() = expr_2425477.(LogicalAndExpr).getRightOperand().(NEExpr).getRightOperand().(DivExpr).getLeftOperand().(VariableAccess).getTarget() and
  expr_2425435.getLValue().(VariableAccess).getTarget() = expr_2425495.getLValue().(VariableAccess).getTarget() and
  expr_2425435.getRValue().(MulExpr).getLeftOperand().(VariableAccess).getTarget() = expr_2425477.(LogicalAndExpr).getRightOperand().(NEExpr).getLeftOperand().(VariableAccess).getTarget() and
  expr_2425435.getRValue().(MulExpr).getRightOperand().(VariableAccess).getTarget() = expr_2425477.(LogicalAndExpr).getRightOperand().(NEExpr).getRightOperand().(DivExpr).getRightOperand().(VariableAccess).getTarget()
}
from MultToAlloc::PathNode n_source, Expr source, MultToAlloc::PathNode n_sink, Expr sink,
  AssignExpr expr_2425435, LogicalAndExpr expr_2425477, AssignExpr expr_2425495, IfStmt stmt_2425438
where
MultToAlloc::flowPath(n_source, n_sink) and source = n_source.getNode().asExpr() and sink = n_sink.getNode().asExpr()
 and
  isTheTargetRelation(expr_2425435, expr_2425477, expr_2425495, stmt_2425438, source, sink)
select sink, source, sink,
  "Potentially overflowing value from $@ is used in the size of this allocation.", source,
  "multiplication"Basing on this page, https://codeql.github.com/docs/ql-language-reference/annotations/ 
 It seems  Why the compilation process for those 4 lines can be so slow? Is there any guidance? How to solve the problem? | 
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 5 replies
-
| Hi @whj0401 , Which version of CodeQL are you running? The query with the 4 lines compiles within seconds for me with the latest version. I do see the noopt problem, but it's different from the one you report. | 
Beta Was this translation helpful? Give feedback.
-
| Instead of having everything in one predicate, split the predicate in a number of different predicates that make logical sense. That is likely to improve both compilation performance and evaluation performance. | 
Beta Was this translation helpful? Give feedback.
Instead of having everything in one predicate, split the predicate in a number of different predicates that make logical sense. That is likely to improve both compilation performance and evaluation performance.