codeql-queries
codeql-queries copied to clipboard
trailofbits
Performances / accuracy of Recursion query
Trying to debug some performance issues following https://github.com/trailofbits/codeql-queries/pull/14#issuecomment-2547906076
Testing setup:
Command:
codeql database analyze --rerun --threads=-1 codeqldb-elasticsearch-817 java/src/security/Recursion/Recursion.ql --format=sarif-latest --output=recursion.sarif
Test on elasticsearch codebase version 8.17 ( I generated the DB myself).
Test 1
Without isBarrierOut: 52s
Test 2
With isBarrierOut: none() : 51.8s
Idea: Does adding isBarrierOut change anything?
Test 3
Warning: wrong predicate
Idea: Check that accessing the state is not too costly
predicate isBarrierOut(DataFlow::Node node, FlowState state) {
node.asExpr().(MethodCall).getCallee().getName() = state.getName()
}
Execution time: 34s
Test 4
Idea: String comparison
predicate isBarrierOut(DataFlow::Node node, FlowState state) {
node.asExpr().(MethodCall).getCallee().getName() > state.getName()
}
Execution time: Timeout (+ 5min)
Test 5
Warning: wrong predicate
Idea: String comparison is expensive, use integers
predicate isBarrierOut(DataFlow::Node node, FlowState state) {
node.asExpr().(MethodCall).getCallee().getLocation().getStartLine() = state.getLocation().getStartLine()
}
}
Execution time: Timeout (+ 5min)
Test 6
Idea: not multiplying methods and merge barrier function
predicate isBarrier(DataFlow::Node node, FlowState state) {
exists(MethodCall ma |
ma = node.asExpr() and
(
exists(Expr e | e = ma.getAnArgument() and e instanceof ParameterOperation) or
ma.getCaller().getName() > state.getName()
)
)
}
Execution time: Timeout (+ 5min)
