x/vuln: optimization opportunities #57357

adonovan · 2022-12-16T19:01:43Z

Some ways we could make govulncheck faster, based on observations of a CPU profile:

request the vulns from the db in parallel with SSA construction. If the vulns set is empty, return without waiting for SSA construction to finish.
change VTA to build the CHA callgraph internally. Use a different representation to avoid the duplication of edges. e.g. every io.Reader.Read callsite has an edge to every concrete Read method, but all sites have the same set of edges and callees. They could be factored.
Don't use three maps in the implementation of Tarjan's algorithm, use fields in the node itself. The single vtaGraph map could provide both the connectivity relation and the state of Tarjan for each node.

gopherbot · 2023-01-04T07:59:08Z

Change https://go.dev/cl/460435 mentions this issue: go/callgraph/vta: optimize scc computation

gopherbot · 2023-01-04T22:01:32Z

Change https://go.dev/cl/460420 mentions this issue: vulncheck: build callgraph in parallel with fetching db

timothy-king · 2023-01-05T19:39:29Z

change VTA to build the CHA callgraph internally. Use a different representation to avoid the duplication of edges. e.g. every io.Reader.Read callsite has an edge to every concrete Read method, but all sites have the same set of edges and callees.

This idea is currently blocked on VTA using both incoming and outgoing edges from the callgraph.Graph. If it only uses outgoing edges, we can benefit from only constructing the outgoing CHA edges, which is roughly what this suggestion is. In particular, rtrn needs to be updated.

gopherbot · 2023-01-05T20:36:45Z

Change https://go.dev/cl/460758 mentions this issue: go/callgraph/cha: refactor callee construction

Optimizes how sccs are internally computed by reducing the amount of maps created and map lookups performed. Between 4-10% faster on benchmarks of callgraph construction. Updates golang/go#57357 Change-Id: I0ecd92c32358a56d1cae67beb352ec15b7b4367e Reviewed-on: https://go-review.googlesource.com/c/tools/+/460435 Run-TryBot: Tim King <[email protected]> TryBot-Result: Gopher Robot <[email protected]> gopls-CI: kokoro <[email protected]> Reviewed-by: Zvonimir Pavlinovic <[email protected]>

Source(...) now builds the *ssa.Program and callgraph from the *ssa.Program in parallel with fetching vulnerabilities. Returns as soon as the vuln set is empty. Updates golang/go#57357 Change-Id: I310b93f7125b5edcc2a5744db9f9f595c70aa5d4 Reviewed-on: https://go-review.googlesource.com/c/vuln/+/460420 TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Alan Donovan <[email protected]> Run-TryBot: Tim King <[email protected]> Reviewed-by: Zvonimir Pavlinovic <[email protected]>

zpavlinovic · 2023-01-10T11:46:57Z

change VTA to build the CHA callgraph internally. Use a different representation to avoid the duplication of edges. e.g. every io.Reader.Read callsite has an edge to every concrete Read method, but all sites have the same set of edges and callees.

This idea is currently blocked on VTA using both incoming and outgoing edges from the callgraph.Graph. If it only uses outgoing edges, we can benefit from only constructing the outgoing CHA edges, which is roughly what this suggestion is. In particular, rtrn needs to be updated.

In principle, we can construct the incoming edges from outgoing, so I believe the VTA can be refactored to account for this. This construction would only be done for this different representation. I suspect it would be rather inexpensive.

timothy-king · 2023-01-10T18:10:22Z

Another possible option would maybe be to have nodes for return values? Return statement values could flow into those nodes and when the calls happen we can connect the results to the return nodes. More nodes for doing fewer edges like a likely minor win.

zpavlinovic · 2023-01-10T18:22:06Z

We could do that as well. I think this is also what naturally pops up when implementing invoke-group optimization.

Refactors callee construction to create a function mapping a callsite to its callees. This consumes 4x less memory and is 37% faster than fully constructing a callgraph.Graph on a benchmark for a net/http server. If made public, this could be used to optimize the performance of vulncheck. Updates golang/go#57357 Change-Id: I42faa859d10f30361d3d497a81245af7f61e8a01 Reviewed-on: https://go-review.googlesource.com/c/tools/+/460758 gopls-CI: kokoro <[email protected]> Run-TryBot: Tim King <[email protected]> Reviewed-by: Zvonimir Pavlinovic <[email protected]> TryBot-Result: Gopher Robot <[email protected]>

gopherbot · 2023-01-10T21:33:00Z

Change https://go.dev/cl/461417 mentions this issue: gopls: update golang.org/x/vuln@6ad3e3d

govulncheck.DefaultCache interface was changed to return error. Update callsites. Notable changes: vulncheck performance improvements (golang/go#57357) https://go-review.googlesource.com/c/vuln/+/460422 https://go-review.googlesource.com/c/vuln/+/460420 store the vuln info cache under module cache directory https://go-review.googlesource.com/c/vuln/+/459036 https://go-review.googlesource.com/c/vuln/+/460421 Change-Id: Ie3816f31b4e1178bb2067cb09c1c726dd37fad55 Reviewed-on: https://go-review.googlesource.com/c/tools/+/461417 Run-TryBot: Hyang-Ah Hana Kim <[email protected]> TryBot-Result: Gopher Robot <[email protected]> gopls-CI: kokoro <[email protected]> Reviewed-by: Robert Findley <[email protected]>

Source(...) now builds the *ssa.Program and callgraph from the *ssa.Program in parallel with fetching vulnerabilities. Returns as soon as the vuln set is empty. Updates golang/go#57357 Change-Id: I310b93f7125b5edcc2a5744db9f9f595c70aa5d4 Reviewed-on: https://go-review.googlesource.com/c/vuln/+/460420 TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Alan Donovan <[email protected]> Run-TryBot: Tim King <[email protected]> Reviewed-by: Zvonimir Pavlinovic <[email protected]>

gopherbot · 2024-09-03T13:45:22Z

Change https://go.dev/cl/609978 mentions this issue: go/callgraph/vta: allow nil initial call graph

When nil is passed as the initial call graph, vta will use a more performant version of CHA. For this purpose, lazyCallees function of CHA is exposed to VTA. This change reduces the time and memory footprint for ~10%, measured on several large real world Go projects. Updates golang/go#57357 Change-Id: Ib5c5edca0026e6902e453fa10fc14f2b763849db Reviewed-on: https://go-review.googlesource.com/c/tools/+/609978 LUCI-TryBot-Result: Go LUCI <[email protected]> Reviewed-by: Alan Donovan <[email protected]>

zpavlinovic · 2024-09-03T16:29:59Z

All three mentioned optimizations are now done so I am marking this complete.

adonovan added the vulncheck or vulndb Issues for the x/vuln or x/vulndb repo label Dec 16, 2022

gopherbot modified the milestones: Unreleased, vuln/unplanned Dec 16, 2022

adonovan assigned zpavlinovic and timothy-king Dec 16, 2022

zpavlinovic closed this as completed Sep 3, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

x/vuln: optimization opportunities #57357

x/vuln: optimization opportunities #57357

adonovan commented Dec 16, 2022 •

edited

Loading

gopherbot commented Jan 4, 2023

gopherbot commented Jan 4, 2023

timothy-king commented Jan 5, 2023

gopherbot commented Jan 5, 2023

zpavlinovic commented Jan 10, 2023

timothy-king commented Jan 10, 2023

zpavlinovic commented Jan 10, 2023

gopherbot commented Jan 10, 2023

gopherbot commented Sep 3, 2024

zpavlinovic commented Sep 3, 2024

x/vuln: optimization opportunities #57357

x/vuln: optimization opportunities #57357

Comments

adonovan commented Dec 16, 2022 • edited Loading

gopherbot commented Jan 4, 2023

gopherbot commented Jan 4, 2023

timothy-king commented Jan 5, 2023

gopherbot commented Jan 5, 2023

zpavlinovic commented Jan 10, 2023

timothy-king commented Jan 10, 2023

zpavlinovic commented Jan 10, 2023

gopherbot commented Jan 10, 2023

gopherbot commented Sep 3, 2024

zpavlinovic commented Sep 3, 2024

adonovan commented Dec 16, 2022 •

edited

Loading