Merge pull request #20383 from aschackmull/java/fix-more-broken-perf

IdrissRio · web-flow · commit dc247e03e09c · 2025-09-08T14:49:43.000+02:00
Java: Fix more broken performance.
diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll b/java/ql/lib/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
@@ -278,21 +278,23 @@ private predicate inputStreamWrapper(Constructor c, int argi) {
 
 /** An object construction that preserves the data flow status of any of its arguments. */
 private predicate constructorStep(Expr tracked, ConstructorCall sink, string model) {
-  exists(int argi | sink.getArgument(argi) = tracked |
+  exists(int argi | sink.getArgument(pragma[only_bind_into](argi)) = tracked |
     // wrappers constructed by extension
     exists(Constructor c, Parameter p, SuperConstructorInvocationStmt sup |
       c = sink.getConstructor() and
-      p = c.getParameter(argi) and
+      p = c.getParameter(pragma[only_bind_into](argi)) and
       sup.getEnclosingCallable() = c and
       constructorStep(p.getAnAccess(), sup, model)
     )
     or
     // a custom InputStream that wraps a tainted data source is tainted
     model = "inputStreamWrapper" and
-    inputStreamWrapper(sink.getConstructor(), argi)
+    inputStreamWrapper(sink.getConstructor(), pragma[only_bind_into](argi))
     or
     model = "TaintPreservingCallable" and
-    sink.getConstructor().(TaintPreservingCallable).returnsTaintFrom(argToParam(sink, argi))
+    sink.getConstructor()
+        .(TaintPreservingCallable)
+        .returnsTaintFrom(argToParam(sink, pragma[only_bind_into](argi)))
   )
 }
 
diff --git a/java/ql/lib/semmle/code/java/frameworks/android/ExternalStorage.qll b/java/ql/lib/semmle/code/java/frameworks/android/ExternalStorage.qll
@@ -20,18 +20,19 @@ private predicate externalStorageFlowStep(DataFlow::Node node1, DataFlow::Node n
   node2.asExpr().(FieldRead).getField().getInitializer() = node1.asExpr()
 }
 
-private predicate externalStorageFlow(DataFlow::Node node1, DataFlow::Node node2) {
-  externalStorageFlowStep*(node1, node2)
+private predicate externalStorageDirFlowsTo(DataFlow::Node n) {
+  sourceNode(n, "android-external-storage-dir")
+  or
+  exists(DataFlow::Node mid | externalStorageDirFlowsTo(mid) and externalStorageFlowStep(mid, n))
 }
 
 /**
  * Holds if `n` is a node that reads the contents of an external file in Android.
  * This is controllable by third-party applications, so is treated as a remote flow source.
  */
 predicate androidExternalStorageSource(DataFlow::Node n) {
-  exists(DataFlow::Node externalDir, DirectFileReadExpr read |
-    sourceNode(externalDir, "android-external-storage-dir") and
+  exists(DirectFileReadExpr read |
     n.asExpr() = read and
-    externalStorageFlow(externalDir, DataFlow::exprNode(read.getFileExpr()))
+    externalStorageDirFlowsTo(DataFlow::exprNode(read.getFileExpr()))
   )
 }
diff --git a/java/ql/src/Likely Bugs/Collections/ContainsTypeMismatch.ql b/java/ql/src/Likely Bugs/Collections/ContainsTypeMismatch.ql
@@ -99,14 +99,14 @@ predicate containerAccess(string package, string type, int p, string signature,
 class MismatchedContainerAccess extends MethodCall {
   MismatchedContainerAccess() {
     exists(string package, string type, int i |
-      containerAccess(package, type, _, this.getCallee().getSignature(), i)
+      containerAccess(package, type, _, this.getCallee().getSignature(), pragma[only_bind_into](i))
     |
       this.getCallee()
           .getDeclaringType()
           .getSourceDeclaration()
           .getASourceSupertype*()
           .hasQualifiedName(package, type) and
-      this.getCallee().getParameter(i).getType() instanceof TypeObject
+      this.getCallee().getParameter(pragma[only_bind_into](i)).getType() instanceof TypeObject
     )
   }
 
diff --git a/java/ql/src/Likely Bugs/Collections/RemoveTypeMismatch.ql b/java/ql/src/Likely Bugs/Collections/RemoveTypeMismatch.ql
@@ -69,14 +69,15 @@ predicate containerModification(string package, string type, int p, string signa
 class MismatchedContainerModification extends MethodCall {
   MismatchedContainerModification() {
     exists(string package, string type, int i |
-      containerModification(package, type, _, this.getCallee().getSignature(), i)
+      containerModification(package, type, _, this.getCallee().getSignature(),
+        pragma[only_bind_into](i))
     |
       this.getCallee()
           .getDeclaringType()
           .getASourceSupertype*()
           .getSourceDeclaration()
           .hasQualifiedName(package, type) and
-      this.getCallee().getParameter(i).getType() instanceof TypeObject
+      this.getCallee().getParameter(pragma[only_bind_into](i)).getType() instanceof TypeObject
     )
   }
 
diff --git a/java/ql/src/Likely Bugs/Frameworks/Swing/BadlyOverriddenAdapter.ql b/java/ql/src/Likely Bugs/Frameworks/Swing/BadlyOverriddenAdapter.ql
@@ -24,14 +24,20 @@ class Adapter extends Class {
   }
 }
 
-from Class c, Adapter adapter, Method m
-where
+pragma[nomagic]
+predicate candidate(Class c, Adapter adapter, Method m, string name) {
   adapter = c.getASupertype() and
   c = m.getDeclaringType() and
-  exists(Method original | adapter = original.getDeclaringType() | m.getName() = original.getName()) and
-  not exists(Method overridden | adapter = overridden.getDeclaringType() | m.overrides(overridden)) and
+  name = m.getName() and
   // The method is not used for any other purpose.
   not exists(MethodCall ma | ma.getMethod() = m)
+}
+
+from Class c, Adapter adapter, Method m, string name
+where
+  candidate(c, adapter, m, name) and
+  exists(Method original | adapter = original.getDeclaringType() | name = original.getName()) and
+  not exists(Method overridden | adapter = overridden.getDeclaringType() | m.overrides(overridden))
 select m,
   "Method " + m.getName() + " attempts to override a method in " + adapter.getName() +
     ", but does not have the same argument types. " + m.getName() +
diff --git a/java/ql/src/Likely Bugs/Likely Typos/SelfAssignment.ql b/java/ql/src/Likely Bugs/Likely Typos/SelfAssignment.ql
@@ -13,6 +13,7 @@
 
 import java
 
+pragma[nomagic]
 predicate toCompare(VarAccess left, VarAccess right) {
   exists(AssignExpr assign | assign.getDest() = left and assign.getSource() = right)
   or
@@ -29,17 +30,21 @@ predicate local(RefType enclosingType, VarAccess v) {
   not exists(v.getQualifier()) and enclosingType = v.getEnclosingCallable().getDeclaringType()
 }
 
+pragma[nomagic]
 predicate sameVariable(VarAccess left, VarAccess right) {
   toCompare(left, right) and
-  left.getVariable() = right.getVariable() and
+  pragma[only_bind_out](left.getVariable()) = pragma[only_bind_out](right.getVariable()) and
   (
     exists(Expr q1, Expr q2 |
       q1 = left.getQualifier() and
       sameVariable(q1, q2) and
       q2 = right.getQualifier()
     )
     or
-    exists(RefType enclosingType | local(enclosingType, left) and local(enclosingType, right))
+    exists(RefType enclosingType |
+      local(enclosingType, pragma[only_bind_out](left)) and
+      local(enclosingType, pragma[only_bind_out](right))
+    )
   )
 }
 

Original file line number	Diff line number	Diff line change
`@@ -20,18 +20,19 @@ private predicate externalStorageFlowStep(DataFlow::Node node1, DataFlow::Node n`
`20`	`20`	`node2.asExpr().(FieldRead).getField().getInitializer() = node1.asExpr()`
`21`	`21`	`}`
`22`	`22`
`23`		`-private predicate externalStorageFlow(DataFlow::Node node1, DataFlow::Node node2) {`
`24`		`- externalStorageFlowStep*(node1, node2)`
	`23`	`+private predicate externalStorageDirFlowsTo(DataFlow::Node n) {`
	`24`	`+ sourceNode(n, "android-external-storage-dir")`
	`25`	`+ or`
	`26`	`+ exists(DataFlow::Node mid \| externalStorageDirFlowsTo(mid) and externalStorageFlowStep(mid, n))`
`25`	`27`	`}`
`26`	`28`
`27`	`29`	`/**`
`28`	`30`	* Holds if `n` is a node that reads the contents of an external file in Android.
`29`	`31`	`* This is controllable by third-party applications, so is treated as a remote flow source.`
`30`	`32`	`*/`
`31`	`33`	`predicate androidExternalStorageSource(DataFlow::Node n) {`
`32`		`- exists(DataFlow::Node externalDir, DirectFileReadExpr read \|`
`33`		`- sourceNode(externalDir, "android-external-storage-dir") and`
	`34`	`+ exists(DirectFileReadExpr read \|`
`34`	`35`	`n.asExpr() = read and`
`35`		`- externalStorageFlow(externalDir, DataFlow::exprNode(read.getFileExpr()))`
	`36`	`+ externalStorageDirFlowsTo(DataFlow::exprNode(read.getFileExpr()))`
`36`	`37`	`)`
`37`	`38`	`}`
Original file line number	Diff line number	Diff line change
`@@ -99,14 +99,14 @@ predicate containerAccess(string package, string type, int p, string signature,`
`99`	`99`	`class MismatchedContainerAccess extends MethodCall {`
`100`	`100`	`MismatchedContainerAccess() {`
`101`	`101`	`exists(string package, string type, int i \|`
`102`		`- containerAccess(package, type, _, this.getCallee().getSignature(), i)`
	`102`	`+ containerAccess(package, type, _, this.getCallee().getSignature(), pragma[only_bind_into](i))`
`103`	`103`	`\|`
`104`	`104`	`this.getCallee()`
`105`	`105`	`.getDeclaringType()`
`106`	`106`	`.getSourceDeclaration()`
`107`	`107`	`.getASourceSupertype*()`
`108`	`108`	`.hasQualifiedName(package, type) and`
`109`		`- this.getCallee().getParameter(i).getType() instanceof TypeObject`
	`109`	`+ this.getCallee().getParameter(pragma[only_bind_into](i)).getType() instanceof TypeObject`
`110`	`110`	`)`
`111`	`111`	`}`
`112`	`112`
Original file line number	Diff line number	Diff line change
`@@ -69,14 +69,15 @@ predicate containerModification(string package, string type, int p, string signa`
`69`	`69`	`class MismatchedContainerModification extends MethodCall {`
`70`	`70`	`MismatchedContainerModification() {`
`71`	`71`	`exists(string package, string type, int i \|`
`72`		`- containerModification(package, type, _, this.getCallee().getSignature(), i)`
	`72`	`+ containerModification(package, type, _, this.getCallee().getSignature(),`
	`73`	`+ pragma[only_bind_into](i))`
`73`	`74`	`\|`
`74`	`75`	`this.getCallee()`
`75`	`76`	`.getDeclaringType()`
`76`	`77`	`.getASourceSupertype*()`
`77`	`78`	`.getSourceDeclaration()`
`78`	`79`	`.hasQualifiedName(package, type) and`
`79`		`- this.getCallee().getParameter(i).getType() instanceof TypeObject`
	`80`	`+ this.getCallee().getParameter(pragma[only_bind_into](i)).getType() instanceof TypeObject`
`80`	`81`	`)`
`81`	`82`	`}`
`82`	`83`
Original file line number	Diff line number	Diff line change
`@@ -13,6 +13,7 @@`
`13`	`13`
`14`	`14`	`import java`
`15`	`15`
	`16`	`+pragma[nomagic]`
`16`	`17`	`predicate toCompare(VarAccess left, VarAccess right) {`
`17`	`18`	`exists(AssignExpr assign \| assign.getDest() = left and assign.getSource() = right)`
`18`	`19`	`or`
`@@ -29,17 +30,21 @@ predicate local(RefType enclosingType, VarAccess v) {`
`29`	`30`	`not exists(v.getQualifier()) and enclosingType = v.getEnclosingCallable().getDeclaringType()`
`30`	`31`	`}`
`31`	`32`
	`33`	`+pragma[nomagic]`
`32`	`34`	`predicate sameVariable(VarAccess left, VarAccess right) {`
`33`	`35`	`toCompare(left, right) and`
`34`		`- left.getVariable() = right.getVariable() and`
	`36`	`+ pragma[only_bind_out](left.getVariable()) = pragma[only_bind_out](right.getVariable()) and`
`35`	`37`	`(`
`36`	`38`	`exists(Expr q1, Expr q2 \|`
`37`	`39`	`q1 = left.getQualifier() and`
`38`	`40`	`sameVariable(q1, q2) and`
`39`	`41`	`q2 = right.getQualifier()`
`40`	`42`	`)`
`41`	`43`	`or`
`42`		`- exists(RefType enclosingType \| local(enclosingType, left) and local(enclosingType, right))`
	`44`	`+ exists(RefType enclosingType \|`
	`45`	`+ local(enclosingType, pragma[only_bind_out](left)) and`
	`46`	`+ local(enclosingType, pragma[only_bind_out](right))`
	`47`	`+ )`
`43`	`48`	`)`
`44`	`49`	`}`
`45`	`50`