Ssa: Trim the use-use relation to skip irrelevant nodes

[aschackmull]

This PR contains 3 tweaks to the shared SSA use-use step relation in the data flow integration module. Each of them trims the step relation in order to generate fewer nodes and fewer edges.

• WriteDefinitions are skipped for Java. There should be no need to include an extra node in the step from the RHS of an assignment to the first use of the variable, but some languages may depend on the flow out of definitions for now, so so far this is opt-in only.
• Synthetic reads on the input edges to phi nodes are necessary for proper BarrierGuards. But it's only a fraction of them that are actually potentially needed by any guard, so we can restrict their creation quite a bit. Furthermore, I've added a hook to allow certain SSA usages to skip these nodes entirely if BarrierGuards are not going to be used. I expect to use this option in the VariableCapture use-case.
• Finally, phi nodes only exist as intermediate nodes to prevent blow-ups in the number of edges, so if the successor is unique, we can safely skip the phi node.

Copilot wasn't able to review any files in this pull request.

Files not reviewed (2)

• java/ql/lib/semmle/code/java/dataflow/internal/SsaImpl.qll: Language not supported
• shared/ssa/codeql/ssa/Ssa.qll: Language not supported

Tip: Copilot only keeps its highest confidence comments to reduce noise and keep you focused. Learn more

[geoffw0]

Looking at the DCA runs:

• CPP has 4 new and 4 lost results for cpp/invalid-pointer-deref. They're not just moved results. I'm not sure what's going on with these.
• Rust shows a large increase in data flow inconsistencies, which should be understood before we merge this. There's also a small (but surprising) improvement to taint reach and a 3.8% analysis slowdown (I'm not sure if either is significant).
• Swift hasn't been run (yet)

I'm a bit surprised because from the PR description I wasn't expecting to see changes in results.

[aschackmull]

I've restarted dca after fixing a performance bug, the 3.8% slowdown on Rust is now 0.1% instead. As for the data flow inconsistencies (for e.g. Rust), these were fixed by the commit "SSA: Skip identity steps".

There should be no need to run dca for Swift, since Swift doesn't use the Data Flow Integration module.

As I mentioned on slack, result changes should not occur, but they do for C++ due to the somewhat ad-hoc DataFlow::flowsToBackEdge barrier, which breaks the SSA abstraction boundary somewhat.

[aschackmull]

Hmm, looks like at least Java needs some tweaking before this can work as intended. The dependence of the trimming on guard.controls causes the SSA stage to collapse with range analysis. And the C++ situation also needs some additional thought to address the result differences. Let me put this in draft for now.