Rust: Speedup AccessAfterLifetime.ql
#21071
Open
+82
−29
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Before
```
Pipeline standard for AccessAfterLifetimeExtensions::AccessAfterLifetime::mayEncloseOnStack/2#3cdefece#bf@61cb32j5 was evaluated in 30 iterations totaling 44856ms (delta sizes total: 241646328).
241404616 ~1% {2} r1 = SCAN `AccessAfterLifetimeExtensions::AccessAfterLifetime::mayEncloseOnStack/2#3cdefece#bf#prev_delta` OUTPUT In.1, In.0
7379161442 ~1080% {2} | JOIN WITH `_AstNode::AstNode.getEnclosingBlock/0#5c38e65a_AstNode::AstNode.getEnclosingCallable/0#5a548913_Bloc__#join_rhs` ON FIRST 1 OUTPUT Lhs.1, Rhs.1
333897324 ~40% {2} | AND NOT `AccessAfterLifetimeExtensions::AccessAfterLifetime::mayEncloseOnStack/2#3cdefece#bf#prev`(FIRST 2)
297961888 ~24% {2} | JOIN WITH `project#AccessAfterLifetimeExtensions::AccessAfterLifetime::sourceValueScope/3#d065ba16#2` ON FIRST 1 OUTPUT Lhs.0, Lhs.1
return r1
```
hvitved
force-pushed
the
rust/access-after-lifetime-perf
branch
from
bfcbf51 to
2f04451
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
This PR optimizes the AccessAfterLifetime.ql query to significantly improve performance by replacing a recursive transitive closure calculation with doubleBoundedFastTC. The optimization was motivated by a 30% reduction in total analysis time on Rust code after a previous change (PR #20966) caused performance regression by computing transitive closure over the entire virtual dispatch graph.
Key Changes
- Introduces a parameterized module pattern using a signature for dataflow candidate pairs
- Replaces recursive
mayEncloseOnStackpredicate with optimized transitive closure usingdoubleBoundedFastTC - Refactors the logic into a
DereferenceAfterLifetimemodule that takes a flow predicate as a parameter
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
rust/ql/src/queries/security/CWE-825/AccessAfterLifetime.ql |
Updates the call to dereferenceAfterLifetime to use the new parameterized module, passing AccessAfterLifetimeFlow::flow/2 as the flow predicate |
rust/ql/lib/codeql/rust/security/AccessAfterLifetimeExtensions.qll |
Refactors dereferenceAfterLifetime into a parameterized module with optimized transitive closure using doubleBoundedFastTC, introduces TcNode type to unify sources, sinks, and block expressions for efficient graph traversal |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| * Holds if block `a` contains block `b`, in the sense that a stack allocated variable in | ||
| * `a` may still be on the stack during execution of `b`. This is interprocedural, | ||
| * but is an overapproximation that doesn't accurately track call contexts | ||
| * (for example if `f` and `g` both call `b`, then then depending on the |
There was a problem hiding this comment.
The comment contains a duplicate word 'then'. The phrase should read "for example if f and g both call b, then depending on the caller..." with only one 'then'.
Suggested change
| * (for example if `f` and `g` both call `b`, then then depending on the | |
| * (for example if `f` and `g` both call `b`, then depending on the |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Manually pushes magic context into transitive closure calculation, and replaces the recursive calculation with
doubleBoundedFastTC.Before
The query started regressing with 108db75, which effectively computed the transitive closure over the entire virtual dispatch graph.
DCA is great; a 30 % reduction in total analysis time on
rust.