From ca8fe033d756104a47481cb0ba250c8cd6d35da9 Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Fri, 18 Jul 2025 16:12:00 +0200 Subject: [PATCH 1/2] Java: Improve join by preventing ssa use-pair join. --- .../Collections/ArrayIndexOutOfBounds.ql | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/java/ql/src/Likely Bugs/Collections/ArrayIndexOutOfBounds.ql b/java/ql/src/Likely Bugs/Collections/ArrayIndexOutOfBounds.ql index ecd83e39719b..845aae01a3e8 100644 --- a/java/ql/src/Likely Bugs/Collections/ArrayIndexOutOfBounds.ql +++ b/java/ql/src/Likely Bugs/Collections/ArrayIndexOutOfBounds.ql @@ -18,6 +18,15 @@ import semmle.code.java.dataflow.SSA import semmle.code.java.dataflow.RangeUtils import semmle.code.java.dataflow.RangeAnalysis +pragma[nomagic] +predicate ssaArrayLengthBound(SsaVariable arr, Bound b) { + exists(FieldAccess len | + len.getField() instanceof ArrayLengthField and + len.getQualifier() = arr.getAUse() and + b.getExpr() = len + ) +} + /** * Holds if the index expression of `aa` is less than or equal to the array length plus `k`. */ @@ -27,12 +36,8 @@ predicate boundedArrayAccess(ArrayAccess aa, int k) { aa.getArray() = arr.getAUse() and bounded(index, b, delta, true, _) | - exists(FieldAccess len | - len.getField() instanceof ArrayLengthField and - len.getQualifier() = arr.getAUse() and - b.getExpr() = len and - k = delta - ) + ssaArrayLengthBound(arr, b) and + k = delta or exists(ArrayCreationExpr arraycreation | arraycreation = getArrayDef(arr) | k = delta and From 46ebf503c76521d9f717287ec878b53e72320250 Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Fri, 18 Jul 2025 16:13:11 +0200 Subject: [PATCH 2/2] Java: Improve join-order by controlling magic and breaking up TCs. --- .../Statements/PartiallyMaskedCatch.ql | 26 ++++++++++++++++--- 1 file changed, 23 insertions(+), 3 deletions(-) diff --git a/java/ql/src/Likely Bugs/Statements/PartiallyMaskedCatch.ql b/java/ql/src/Likely Bugs/Statements/PartiallyMaskedCatch.ql index eb5c2d380c65..b9a0229b60ff 100644 --- a/java/ql/src/Likely Bugs/Statements/PartiallyMaskedCatch.ql +++ b/java/ql/src/Likely Bugs/Statements/PartiallyMaskedCatch.ql @@ -15,14 +15,34 @@ import java +pragma[nomagic] +predicate mayThrow(Stmt s, RefType rt) { + s.(ThrowStmt).getExpr().getType() = rt + or + exists(Call call | + call.getEnclosingStmt() = s and + call.getCallee().getAnException().getType() = rt + ) +} + +pragma[nomagic] +predicate caughtBy(TryStmt try, Stmt s, RefType rt) { + mayThrow(s, rt) and + s.getEnclosingStmt+() = try.getBlock() and + caughtType(try, _).hasSubtype*(rt) +} + +pragma[nomagic] +predicate nestedTry(TryStmt outer, TryStmt inner) { inner.getEnclosingStmt+() = outer.getBlock() } + /** * Exceptions of type `rt` thrown from within statement `s` are caught by an inner try block * and are therefore not propagated to the outer try block `t`. */ private predicate caughtInside(TryStmt t, Stmt s, RefType rt) { - exists(TryStmt innerTry | innerTry.getEnclosingStmt+() = t.getBlock() | - s.getEnclosingStmt+() = innerTry.getBlock() and - caughtType(innerTry, _).hasSubtype*(rt) + exists(TryStmt innerTry | + nestedTry(t, innerTry) and + caughtBy(innerTry, s, rt) ) }