From af5adbac30bd18c8e31c61150281c6e320be9c7d Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Thu, 8 Jan 2026 15:02:34 +0100 Subject: [PATCH 1/2] SSA: Improve performance of finding relevant phi input nodes. --- shared/ssa/codeql/ssa/Ssa.qll | 72 ++++++++++++++++++++++++++++++----- 1 file changed, 62 insertions(+), 10 deletions(-) diff --git a/shared/ssa/codeql/ssa/Ssa.qll b/shared/ssa/codeql/ssa/Ssa.qll index 26f3d9f97719..b58d28c534f0 100644 --- a/shared/ssa/codeql/ssa/Ssa.qll +++ b/shared/ssa/codeql/ssa/Ssa.qll @@ -2081,6 +2081,54 @@ module Make< ) } + pragma[nomagic] + private predicate phiInputHasRead(SsaPhiExt phi, BasicBlock input) { + exists(DfInput::getARead(getAPhiInputDef(phi, input))) + } + + /** Holds if `bb` is the target end of a branch edge of a guard and the guard controls `bb`. */ + pragma[nomagic] + private predicate guardControlledBranchTarget(BasicBlock bb) { + exists(BasicBlock guard | + any(DfInput::Guard g).hasValueBranchEdge(guard, bb, _) and + dominatingEdge(guard, bb) + ) + } + + /** + * Holds if `prev` is the block containing the unique predecessor of `phi` + * that reaches `phi` through the input block `input`, and that `mid` is a + * block in the dominator tree between `prev` and `input` that is + * guard-equivalent with `input` in the sense that the set of guards + * controlling `mid` is the same as the set of guards controlling `input`. + * + * This is restricted to phi inputs that are actually read. + */ + private predicate phiInputGuardEquivalenceReaches( + BasicBlock prev, BasicBlock mid, SsaPhiExt phi, BasicBlock input + ) { + phiInputHasRead(phi, input) and + AdjacentSsaRefs::adjacentRefPhi(prev, _, input, phi.getBasicBlock(), phi.getSourceVariable()) and + mid = input + or + exists(BasicBlock mid0 | + phiInputGuardEquivalenceReaches(prev, mid0, phi, input) and + not guardControlledBranchTarget(mid0) and + mid0 != prev and + mid = mid0.getImmediateDominator() + ) + } + + /** + * Holds if the immediately preceding reference to the input to `phi` from + * the block `input` is guard-equivalent with `input`. + * + * This is restricted to phi inputs that are actually read. + */ + private predicate phiInputIsGuardEquivalentWithPreviousRef(SsaPhiExt phi, BasicBlock input) { + exists(BasicBlock prev | phiInputGuardEquivalenceReaches(prev, prev, phi, input)) + } + /** * Holds if the input to `phi` from the block `input` might be relevant for * barrier guards as a separately synthesized `TSsaInputNode`. @@ -2095,7 +2143,7 @@ module Make< or DfInput::supportBarrierGuardsOnPhiEdges() and // If the input isn't explicitly read then a guard cannot check it. - exists(DfInput::getARead(getAPhiInputDef(phi, input))) and + phiInputHasRead(phi, input) and ( // The input node is relevant either if it sits directly on a branch // edge for a guard, @@ -2114,15 +2162,19 @@ module Make< // } // // phi-read node for `x` // ``` - exists(BasicBlock prev | - AdjacentSsaRefs::adjacentRefPhi(prev, _, input, phi.getBasicBlock(), - phi.getSourceVariable()) and - prev != input and - exists(DfInput::Guard g, DfInput::GuardValue val | - DfInput::guardDirectlyControlsBlock(g, input, val) and - not DfInput::guardDirectlyControlsBlock(g, prev, val) - ) - ) + not phiInputIsGuardEquivalentWithPreviousRef(phi, input) + // An equivalent, but less performant, way to express this is as follows: + // ``` + // exists(BasicBlock prev | + // AdjacentSsaRefs::adjacentRefPhi(prev, _, input, phi.getBasicBlock(), + // phi.getSourceVariable()) and + // prev != input and + // exists(DfInput::Guard g, DfInput::GuardValue val | + // DfInput::guardDirectlyControlsBlock(g, input, val) and + // not DfInput::guardDirectlyControlsBlock(g, prev, val) + // ) + // ) + // ``` ) } From aae8ec224038ec9782a77b0b475ba9fc10bd77bf Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Mon, 12 Jan 2026 09:39:15 +0100 Subject: [PATCH 2/2] SSA: Use fastTC for even better performance. --- shared/ssa/codeql/ssa/Ssa.qll | 35 +++++++++++------------------------ 1 file changed, 11 insertions(+), 24 deletions(-) diff --git a/shared/ssa/codeql/ssa/Ssa.qll b/shared/ssa/codeql/ssa/Ssa.qll index b58d28c534f0..cb2d527c9641 100644 --- a/shared/ssa/codeql/ssa/Ssa.qll +++ b/shared/ssa/codeql/ssa/Ssa.qll @@ -2095,38 +2095,25 @@ module Make< ) } - /** - * Holds if `prev` is the block containing the unique predecessor of `phi` - * that reaches `phi` through the input block `input`, and that `mid` is a - * block in the dominator tree between `prev` and `input` that is - * guard-equivalent with `input` in the sense that the set of guards - * controlling `mid` is the same as the set of guards controlling `input`. - * - * This is restricted to phi inputs that are actually read. - */ - private predicate phiInputGuardEquivalenceReaches( - BasicBlock prev, BasicBlock mid, SsaPhiExt phi, BasicBlock input - ) { - phiInputHasRead(phi, input) and - AdjacentSsaRefs::adjacentRefPhi(prev, _, input, phi.getBasicBlock(), phi.getSourceVariable()) and - mid = input - or - exists(BasicBlock mid0 | - phiInputGuardEquivalenceReaches(prev, mid0, phi, input) and - not guardControlledBranchTarget(mid0) and - mid0 != prev and - mid = mid0.getImmediateDominator() - ) + private BasicBlock getGuardEquivalentImmediateDominator(BasicBlock bb) { + result = bb.getImmediateDominator() and + not guardControlledBranchTarget(bb) } /** * Holds if the immediately preceding reference to the input to `phi` from - * the block `input` is guard-equivalent with `input`. + * the block `input` is guard-equivalent with `input` in the sense that the + * set of guards controlling the preceding reference is the same as the set + * of guards controlling `input`. * * This is restricted to phi inputs that are actually read. */ private predicate phiInputIsGuardEquivalentWithPreviousRef(SsaPhiExt phi, BasicBlock input) { - exists(BasicBlock prev | phiInputGuardEquivalenceReaches(prev, prev, phi, input)) + exists(BasicBlock prev | + phiInputHasRead(phi, input) and + AdjacentSsaRefs::adjacentRefPhi(prev, _, input, phi.getBasicBlock(), phi.getSourceVariable()) and + prev = getGuardEquivalentImmediateDominator*(input) + ) } /**