C++: Fix a join order in readStep using the unbindInt predicate from the shared dataflow library. This is the tuple counts on ChakraCore before the fix:

(5539s) Tuple counts for DataFlowPrivate::readStep#fff:
3208924     ~0%      {2} r1 = SCAN Operand::NonPhiMemoryOperand::getAnyDef_dispred#3#ff AS I OUTPUT I.<1>, I.<0>
3208924     ~2%      {2} r2 = JOIN r1 WITH DataFlowUtil::TInstructionNode#ff AS R ON FIRST 1 OUTPUT r1.<1>, R.<1>
751306      ~8%      {2} r3 = JOIN r2 WITH Instruction::CopyInstruction::getSourceValueOperand_dispred#3#ff_10#join_rhs AS R ON FIRST 1 OUTPUT R.<1>, r2.<1>
751306      ~0%      {3} r4 = JOIN r3 WITH DataFlowUtil::TInstructionNode#ff AS R ON FIRST 1 OUTPUT r3.<0>, r3.<1>, R.<1>
751306      ~0%      {4} r5 = JOIN r4 WITH Instruction::CopyInstruction::getSourceValueOperand_dispred#3#ff AS R ON FIRST 1 OUTPUT R.<1>, r4.<1>, r4.<0>, r4.<2>
751306      ~2%      {4} r6 = JOIN r5 WITH Operand::NonPhiMemoryOperand::getAnyDef_dispred#3#ff AS R ON FIRST 1 OUTPUT R.<1>, r5.<1>, r5.<2>, r5.<3>
209341      ~0%      {4} r7 = JOIN r6 WITH Instruction::Instruction::getResultType_dispred#fb AS R ON FIRST 1 OUTPUT R.<1>, r6.<1>, r6.<2>, r6.<3>
7115323     ~1%      {6} r8 = JOIN r7 WITH DataFlowPrivate::FieldContent#class#ffff_1023#join_rhs AS R ON FIRST 1 OUTPUT R.<2>, R.<3>, r7.<1>, r7.<2>, r7.<3>, R.<1>
81341188413 ~0%      {5} r9 = JOIN r8 WITH SSAConstruction::Cached::getUsedInterval#fff_120#join_rhs AS R ON FIRST 2 OUTPUT r8.<3>, R.<2>, r8.<2>, r8.<4>, r8.<5>
137684      ~7%      {3} r10 = JOIN r9 WITH Instruction::CopyInstruction::getSourceValueOperand_dispred#3#ff AS R ON FIRST 2 OUTPUT r9.<2>, r9.<4>, r9.<3>
751306      ~0%      {3} r11 = JOIN r4 WITH Instruction::LoadInstruction::getSourceAddress_dispred#ff AS R ON FIRST 1 OUTPUT R.<1>, r4.<1>, r4.<2>
94306       ~0%      {3} r12 = JOIN r11 WITH Instruction::FieldInstruction::getField_dispred#3#ff AS R ON FIRST 1 OUTPUT R.<1>, r11.<1>, r11.<2>
152363      ~6%      {3} r13 = JOIN r12 WITH DataFlowPrivate::FieldContent::getField_dispred#ff_10#join_rhs AS R ON FIRST 1 OUTPUT r12.<1>, R.<1>, r12.<2>
290047      ~22%     {3} r14 = r10 \/ r13
                     return r14

and after:

(851s) Tuple counts for DataFlowPrivate::readStep#fff:
3208924 ~0%      {2} r1 = SCAN Operand::NonPhiMemoryOperand::getAnyDef_dispred#3#ff AS I OUTPUT I.<1>, I.<0>
3208924 ~2%      {2} r2 = JOIN r1 WITH DataFlowUtil::TInstructionNode#ff AS R ON FIRST 1 OUTPUT r1.<1>, R.<1>
751306  ~8%      {2} r3 = JOIN r2 WITH Instruction::CopyInstruction::getSourceValueOperand_dispred#3#ff_10#join_rhs AS R ON FIRST 1 OUTPUT R.<1>, r2.<1>
751306  ~0%      {3} r4 = JOIN r3 WITH DataFlowUtil::TInstructionNode#ff AS R ON FIRST 1 OUTPUT r3.<0>, r3.<1>, R.<1>
751306  ~0%      {4} r5 = JOIN r4 WITH Instruction::CopyInstruction::getSourceValueOperand_dispred#3#ff AS R ON FIRST 1 OUTPUT r4.<0>, r4.<1>, r4.<2>, R.<1>
751306  ~0%      {5} r6 = JOIN r5 WITH Instruction::CopyInstruction::getSourceValueOperand_dispred#3#ff AS R ON FIRST 1 OUTPUT R.<1>, r5.<1>, r5.<0>, r5.<2>, r5.<3>
751306  ~0%      {5} r7 = JOIN r6 WITH Operand::NonPhiMemoryOperand::getAnyDef_dispred#3#ff AS R ON FIRST 1 OUTPUT R.<1>, r6.<1>, r6.<2>, r6.<3>, r6.<4>
209341  ~1%      {5} r8 = JOIN r7 WITH Instruction::Instruction::getResultType_dispred#fb AS R ON FIRST 1 OUTPUT R.<1>, r7.<1>, r7.<2>, r7.<3>, r7.<4>
7115323 ~0%      {7} r9 = JOIN r8 WITH DataFlowPrivate::FieldContent#class#ffff_1023#join_rhs AS R ON FIRST 1 OUTPUT r8.<4>, r8.<1>, r8.<2>, r8.<3>, R.<1>, R.<2>, R.<3>
7116087 ~0%      {9} r10 = JOIN r9 WITH SSAConstruction::Cached::getUsedInterval#fff@staged_ext AS R ON FIRST 1 OUTPUT r9.<1>, r9.<2>, r9.<3>, r9.<0>, r9.<4>, r9.<5>, r9.<6>, R.<1>, R.<2>
449879  ~4%      {9} r11 = SELECT r10 ON r10.<5> <= r10.<7>
193804  ~1%      {9} r12 = SELECT r11 ON r11.<5> >= r11.<7>
154980  ~0%      {9} r13 = SELECT r12 ON r12.<6> <= r12.<8>
137684  ~0%      {9} r14 = SELECT r13 ON r13.<6> >= r13.<8>
137684  ~7%      {3} r15 = SCAN r14 OUTPUT r14.<0>, r14.<4>, r14.<2>
751306  ~0%      {3} r16 = JOIN r4 WITH Instruction::LoadInstruction::getSourceAddress_dispred#ff AS R ON FIRST 1 OUTPUT R.<1>, r4.<1>, r4.<2>
94306   ~0%      {3} r17 = JOIN r16 WITH Instruction::FieldInstruction::getField_dispred#3#ff AS R ON FIRST 1 OUTPUT R.<1>, r16.<1>, r16.<2>
152363  ~6%      {3} r18 = JOIN r17 WITH DataFlowPrivate::FieldContent::getField_dispred#ff_10#join_rhs AS R ON FIRST 1 OUTPUT r17.<1>, R.<1>, r17.<2>
290047  ~22%     {3} r19 = r15 \/ r18
                 return r19

Author: MathiasVP

cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll

@@ -233,6 +233,9 @@ predicate storeStep(Node node1, Content f, PostUpdateNode node2) {
   storeStepChi(node1, f, node2)
 }
 
+bindingset[result, i]
+private int unbindInt(int i) { i <= result and i >= result }
+
 /**
  * Holds if data can flow from `node1` to `node2` via a read of `f`.
  * Thus, `node1` references an object with a field `f` whose value ends up in
@@ -245,7 +248,7 @@ predicate readStep(Node node1, Content f, Node node2) {
     (
       exists(Class c, int startBit, int endBit |
         c = load.getSourceValueOperand().getAnyDef().getResultType() and
-        load.getSourceValueOperand().getUsedInterval(startBit, endBit) and
+        load.getSourceValueOperand().getUsedInterval(unbindInt(startBit), unbindInt(endBit)) and
         f.(FieldContent).hasOffset(c, startBit, endBit)
       )
       or