Swift: implement type pruning for dataflow

[rdmarsh2]

This PR implements type pruning for dataflow by adding DataFlowType, which corresponds to only the canonical types in the Swift type hierarchy, adding a new getType member predicate to DataFlow::Node, and using them to implement the getNodeType predicate that type pruning relies on.

[rdmarsh2]

Note that this currently includes some commits from #14570, which will hopefully be rebased away once that PR is merged.

[geoffw0]

Initial review. This looks good to me, though (inevitably on a PR of this size and complexity) I've made quite a lot of minor comments / questions. Testing will be important here - though I gather you've done quite a bit of debugging already. I'll have a quick go with the branch myself later today.

[geoffw0]

What is this predicate for? Should it have QLDoc?

[rdmarsh2]

It's used in a few places in the dataflow library to select the more precise of two types, for instance when runtime overload resolution can tell us that a parameter has a more specific type than the argument that flows to it.

[MathiasVP]

I requested QLDoc when it was introduced here: #13083 (comment), but it was postponed until we had turned the dataflow library into a shared qlpack. This has now been the case for a while so we should probably add QLDoc to this one now (cc @aschackmull)

[aschackmull]

Here you go: #14612

[geoffw0]

What is the canonical type of a type exactly? (the QLDoc sadly reads "Gets the canonical type of this type.").

[rdmarsh2]

It's the unique type after resolving aliases and desugaring. For instance, if we have typealias MyInt == Int, then [MyInt?] has the canonical type Array<Optional<Int>>

[rdmarsh2]

I'm tempted to add getCanonicalType to Expr, Pattern, and whatever form of Decl makes sense, in the same way that we have getUnspecifiedType for C++

[geoffw0]

I'm a bit worried about performance here, though probably the pragma[inline] keeps it relatively constrained. I guess DCA will confirm or refute my concerns...

[geoffw0]

I'm a bit concerned about the name of this module if it's no longer cached.

[rdmarsh2]

Oops, I did that for debugging and didn't mean for it to land in the final commit.

[geoffw0]

Do we need to account for stuff like AnyType? here?

[geoffw0]

I expected the = and != in here to be recursive calls to compatibleTypes. Should they be?

[rdmarsh2]

Ideally they would... Unfortunately doing that forces the relation to be materialized, which seems to be infeasible.

[geoffw0]

It might be worth stating that this relationship is not commutative, i.e. in some cases compatibleTypes(a, b) is not the same as compatibleTypes(b, a)? I found this surprising (but I think I understand why).

[rdmarsh2]

In the current implementation it's actually commutative. It isn't transitive, though.

[geoffw0]

I think the use of implies in the bit for a FunctionType makes it not commutative. compatibleTypes(notThrowingFunction, throwingFunction) might hold while compatibleTypes(throwingFunction, notThrowingFunction) does not.

[MathiasVP]

compatibleTypes is actually required to be symmetric/commutative:

codeql/shared/dataflow/codeql/dataflow/DataFlow.qll

Line 111 in 04ca36f

* This predicate must be symmetric and reflexive.

. I do think that this relation is symmetric now, though, right?

[geoffw0]

Possibly ForceValueExpr, OptionalSomePattern, AnyTryExpr, VarargExpansionExpr??? I'm really not sure though.

[rdmarsh2]

Yeah, all of those can change the type

[geoffw0]

This is going to be widely useful. 👍

[geoffw0]

I agree with the qldoc checks that this file and the AnyType class should have QLDoc. It can be short and to the point.

[geoffw0]

I've just noticed t1, t2 are not bound to f1, f2 in this case.

[rdmarsh2]

oh jeez, that might be why it was blowing up...

[geoffw0]

Yeah, I'm seeing performance issues as well.

[geoffw0]

Sorry for taking a few days to get back to this. I've asked a couple of questions to aid my understanding.

We will need a new DCA run on this PR, when you think it's ready.

[geoffw0]

What's the difference between TTopFunctionType and TDataFlowFunctionType? Why do we need both?

[rdmarsh2]

TTopFunctionType allows any function type, DataFlowFunctionType is a specific callable (and can be used to improve precision of lambda call resolution)

[geoffw0]

Why did this line and 5 lines above get commented out?

[geoffw0]

What's going on here?

[rdmarsh2]

This predicate only applies to nodes that are synthesized from a callback in a modeled function. The AnyType is the top of Swift's type hierarchy (although it's not included in the getABaseType relationship), so we're allowing any type here. It's certainly possible to be more precise, though.

[MathiasVP]

This looks like a cartesian product between all DataFlowTypes and all ArgumentPositions, right? This was fine before because DataFlowType was a unit type, but this looks like a real CP now, though? Or is the assumption that this fine because there aren't that many ArgumentPositions?

[MathiasVP]

Lots of comments (mostly just questions to help me understand the code), but I'm really happy that we're almost there 🎉

[MathiasVP]

Why do we need both cases here? Is that to handle each callable having their own type?

In any case, a comment on this would be helpful

[rdmarsh2]

That's handling lambdas vs references to functions

[MathiasVP]

Not all SourceVariables has a result for asVarDecl (in particular, some of them are related to key paths: https://github.com/github/codeql/blob/main/swift/ql/lib/codeql/swift/dataflow/Ssa.qll#L28).

It seems like these don't have a type now? Should we instead have a getType predicate on SourceVariable (that all instances of the abstract class then implements) so that this predicate could instead be implemented as getDataFlowType(this.asDefinition().getSourceVariable())?

[rdmarsh2]

Done.

[MathiasVP]

This looks very complicated 😨. Since DictionarySubscriptNode is really just an intermediate node that follows a subscript so that we can push both a TupleContent and a CollectionContent: could we instead simply get the type here by forwarding the call to the node representing the subscript expression?

[rdmarsh2]

I don't think so - the type of this node needs to be a tuple type so the read steps work out correctly.

[MathiasVP]

Why does this need to be getArgType(1)?

[rdmarsh2]

See the above comment.

[MathiasVP]

Do we really need to implement getTypeImpl on all the post-update nodes? Can the result of getTypeImpl on a post-update node not simply be the result of calling getTypeImpl on the pre-update node?

[MathiasVP]

Oh, I see what we do actually implement this predicate on PostUpdateNodes: https://github.com/github/codeql/pull/14592/files#diff-514dd0988f7b47e40ff8c1e66ea886d1f947d047da108270ed0ddec75c2856c1R1531. Do we really need this (and similar) overrides then?

[rdmarsh2]

Probably not. I can delete and recheck

[rdmarsh2]

That was actually only on ExprPostUpdateNodes. Moving it to PostUpdateNodeImpl simplifies some things, although it leads to a couple of duplicate overrides. It also fixed a bug with the postupdate nodes on keypaths.

[MathiasVP]

Similar question here: I think that compatibleTuples holds when there is a common index in which both tuple types is either the any type or an unbound type. When no such index exists, does that mean they're compatible because of the first condition in compatibleTypes?

[MathiasVP]

Do we really want to expose the DataFlowType type to users?

[MathiasVP]

This looks like a cartesian product between all DataFlowTypes and all ArgumentPositions, right? This was fine before because DataFlowType was a unit type, but this looks like a real CP now, though? Or is the assumption that this fine because there aren't that many ArgumentPositions?

[MathiasVP]

Same here. This looks like a CP between all types and all return kinds. I guess this is fine if the getCallbackParameterType case is also fine?

[rdmarsh2]

It was fine but we don't actually need these anymore - they were part of the old API but not the new one.

[MathiasVP]

Two questions:

• This looks like something that could blow up with a bad join order, right? That is, it we start by joining together all TupleTypes that has the same number of types. Does the joins look okay in this case?
• Does the unlabeled version of a tuple type always exist? Or should the QLDoc say [...], if any.? And if this predicate really is partial: Is that a problem for the way we use it in stripType?

[geoffw0]

Today is my last day before Christmas, so I'm probably not going to get chance to review the final version of this. I just want to post something to make it clear I do not expect you to wait for my final 👍. I trust @rdmarsh2 s work and @MathiasVP s judgement, so once you're both happy I'm happy. I do suggest you do another DCA run at some point though, and make sure any remaining regressions in performance or query results are at least understood.

[geoffw0]

I think there are some comments above that haven't yet been addressed. Please would you reply to them, fix the failing checks, and state when this PR is ready to review again? Is there anything we can do to help?