Merge pull request #4013 from yoff/SharedDataflow_SequenceFlow

Python: Shared dataflow: Content flow
2025-12-21 03:06:31 +01:00 · 2020-08-25 15:38:14 +02:00
parent 92c97b1778 2608509fa7
commit 000fa33d54
5 changed files with 437 additions and 28 deletions
--- a/python/ql/src/experimental/dataflow/internal/DataFlowPrivate.qll
+++ b/python/ql/src/experimental/dataflow/internal/DataFlowPrivate.qll
@@ -277,15 +277,193 @@ predicate jumpStep(Node pred, Node succ) {
 // Field flow
 //--------
 /**
- * Holds if data can flow from `node1` to `node2` via an assignment to
+ * Holds if data can flow from `nodeFrom` to `nodeTo` via an assignment to
 * content `c`.
 */
-predicate storeStep(Node node1, Content c, Node node2) { none() }
+predicate storeStep(Node nodeFrom, Content c, Node nodeTo) {
+  listStoreStep(nodeFrom, c, nodeTo)
+  or
+  setStoreStep(nodeFrom, c, nodeTo)
+  or
+  tupleStoreStep(nodeFrom, c, nodeTo)
+  or
+  dictStoreStep(nodeFrom, c, nodeTo)
+  or
+  comprehensionStoreStep(nodeFrom, c, nodeTo)
+}
+
+/** Data flows from an element of a list to the list. */
+predicate listStoreStep(CfgNode nodeFrom, ListElementContent c, CfgNode nodeTo) {
+  // List
+  //   `[..., 42, ...]`
+  //   nodeFrom is `42`, cfg node
+  //   nodeTo is the list, `[..., 42, ...]`, cfg node
+  //   c denotes element of list
+  nodeTo.getNode().(ListNode).getAnElement() = nodeFrom.getNode()
+}
+
+/** Data flows from an element of a set to the set. */
+predicate setStoreStep(CfgNode nodeFrom, ListElementContent c, CfgNode nodeTo) {
+  // Set
+  //   `{..., 42, ...}`
+  //   nodeFrom is `42`, cfg node
+  //   nodeTo is the set, `{..., 42, ...}`, cfg node
+  //   c denotes element of list
+  nodeTo.getNode().(SetNode).getAnElement() = nodeFrom.getNode()
+}
+
+/** Data flows from an element of a tuple to the tuple at a specific index. */
+predicate tupleStoreStep(CfgNode nodeFrom, TupleElementContent c, CfgNode nodeTo) {
+  // Tuple
+  //   `(..., 42, ...)`
+  //   nodeFrom is `42`, cfg node
+  //   nodeTo is the tuple, `(..., 42, ...)`, cfg node
+  //   c denotes element of tuple and index of nodeFrom
+  exists(int n |
+    nodeTo.getNode().(TupleNode).getElement(n) = nodeFrom.getNode() and
+    c.getIndex() = n
+  )
+}
+
+/** Data flows from an element of a dictionary to the dictionary at a specific key. */
+predicate dictStoreStep(CfgNode nodeFrom, DictionaryElementContent c, CfgNode nodeTo) {
+  // Dictionary
+  //   `{..., "key" = 42, ...}`
+  //   nodeFrom is `42`, cfg node
+  //   nodeTo is the dict, `{..., "key" = 42, ...}`, cfg node
+  //   c denotes element of dictionary and the key `"key"`
+  exists(KeyValuePair item |
+    item = nodeTo.getNode().(DictNode).getNode().(Dict).getAnItem() and
+    nodeFrom.getNode().getNode() = item.getValue() and
+    c.getKey() = item.getKey().(StrConst).getS()
+  )
+}
+
+/** Data flows from an element expression in a comprehension to the comprehension. */
+predicate comprehensionStoreStep(CfgNode nodeFrom, Content c, CfgNode nodeTo) {
+  // Comprehension
+  //   `[x+1 for x in l]`
+  //   nodeFrom is `x+1`, cfg node
+  //   nodeTo is `[x+1 for x in l]`, cfg node
+  //   c denotes list or set or dictionary without index
+  //
+  // List
+  nodeTo.getNode().getNode().(ListComp).getElt() = nodeFrom.getNode().getNode() and
+  c instanceof ListElementContent
+  or
+  // Set
+  nodeTo.getNode().getNode().(SetComp).getElt() = nodeFrom.getNode().getNode() and
+  c instanceof SetElementContent
+  or
+  // Dictionary
+  nodeTo.getNode().getNode().(DictComp).getElt() = nodeFrom.getNode().getNode() and
+  c instanceof DictionaryElementAnyContent
+}

 /**
- * Holds if data can flow from `node1` to `node2` via a read of content `c`.
+ * Holds if data can flow from `nodeFrom` to `nodeTo` via a read of content `c`.
 */
-predicate readStep(Node node1, Content c, Node node2) { none() }
+predicate readStep(Node nodeFrom, Content c, Node nodeTo) {
+  subscriptReadStep(nodeFrom, c, nodeTo)
+  or
+  popReadStep(nodeFrom, c, nodeTo)
+  or
+  comprehensionReadStep(nodeFrom, c, nodeTo)
+}
+
+/** Data flows from a sequence to a subscript of the sequence. */
+predicate subscriptReadStep(CfgNode nodeFrom, Content c, CfgNode nodeTo) {
+  // Subscript
+  //   `l[3]`
+  //   nodeFrom is `l`, cfg node
+  //   nodeTo is `l[3]`, cfg node
+  //   c is compatible with 3
+  nodeFrom.getNode() = nodeTo.getNode().(SubscriptNode).getObject() and
+  (
+    c instanceof ListElementContent
+    or
+    c instanceof SetElementContent
+    or
+    c instanceof DictionaryElementAnyContent
+    or
+    c.(TupleElementContent).getIndex() =
+      nodeTo.getNode().(SubscriptNode).getIndex().getNode().(IntegerLiteral).getValue()
+    or
+    c.(DictionaryElementContent).getKey() =
+      nodeTo.getNode().(SubscriptNode).getIndex().getNode().(StrConst).getS()
+  )
+}
+
+/** Data flows from a sequence to a call to `pop` on the sequence. */
+predicate popReadStep(CfgNode nodeFrom, Content c, CfgNode nodeTo) {
+  // set.pop or list.pop
+  //   `s.pop()`
+  //   nodeFrom is `s`, cfg node
+  //   nodeTo is `s.pop()`, cfg node
+  //   c denotes element of list or set
+  exists(CallNode call, AttrNode a |
+    call.getFunction() = a and
+    a.getName() = "pop" and // Should match appropriate call since we tracked a sequence here.
+    not exists(call.getAnArg()) and
+    nodeFrom.getNode() = a.getObject() and
+    nodeTo.getNode() = call and
+    (
+      c instanceof ListElementContent
+      or
+      c instanceof SetElementContent
+    )
+  )
+  or
+  // dict.pop
+  //   `d.pop("key")`
+  //   nodeFrom is `d`, cfg node
+  //   nodeTo is `d.pop("key")`, cfg node
+  //   c denotes the key `"key"`
+  exists(CallNode call, AttrNode a |
+    call.getFunction() = a and
+    a.getName() = "pop" and // Should match appropriate call since we tracked a dictionary here.
+    nodeFrom.getNode() = a.getObject() and
+    nodeTo.getNode() = call and
+    c.(DictionaryElementContent).getKey() = call.getArg(0).getNode().(StrConst).getS()
+  )
+}
+
+/** Data flows from a iterated sequence to the variable iterating over the sequence. */
+predicate comprehensionReadStep(CfgNode nodeFrom, Content c, EssaNode nodeTo) {
+  // Comprehension
+  //   `[x+1 for x in l]`
+  //   nodeFrom is `l`, cfg node
+  //   nodeTo is `x`, essa var
+  //   c denotes element of list or set
+  exists(For f, Comp comp |
+    f = getCompFor(comp) and
+    nodeFrom.getNode().getNode() = getCompIter(comp) and
+    nodeTo.getVar().getDefinition().(AssignmentDefinition).getDefiningNode().getNode() =
+      f.getTarget() and
+    (
+      c instanceof ListElementContent
+      or
+      c instanceof SetElementContent
+    )
+  )
+}
+
+/** This seems to compensate for extractor shortcomings */
+For getCompFor(Comp c) {
+  c.contains(result) and
+  c.getFunction() = result.getScope()
+}
+
+/** This seems to compensate for extractor shortcomings */
+AstNode getCompIter(Comp c) {
+  c.contains(result) and
+  c.getScope() = result.getScope() and
+  not result = c.getFunction() and
+  not exists(AstNode between |
+    c.contains(between) and
+    between.contains(result)
+  )
+}

 /**
 * Holds if values stored inside content `c` are cleared at node `n`. For example,
--- a/python/ql/src/experimental/dataflow/internal/DataFlowPublic.qll
+++ b/python/ql/src/experimental/dataflow/internal/DataFlowPublic.qll
@@ -33,8 +33,15 @@ class Node extends TNode {
  /** Gets the scope of this node. */
  Scope getScope() { none() }

+  private DataFlowCallable getCallableScope(Scope s) {
+    result.getScope() = s
+    or
+    not exists(DataFlowCallable c | c.getScope() = s) and
+    result = getCallableScope(s.getEnclosingScope())
+  }
+
  /** Gets the enclosing callable of this node. */
-  DataFlowCallable getEnclosingCallable() { result.getScope() = this.getScope() }
+  DataFlowCallable getEnclosingCallable() { result = getCallableScope(this.getScope()) }

  /** Gets the location of this node */
  Location getLocation() { none() }
@@ -138,6 +145,62 @@ class BarrierGuard extends Expr {
 /**
 * A reference contained in an object. This is either a field or a property.
 */
-class Content extends string {
-  Content() { this = "Content" }
+newtype TContent =
+  /** An element of a list. */
+  TListElementContent() or
+  /** An element of a set. */
+  TSetElementContent() or
+  /** An element of a tuple at a specifik index. */
+  TTupleElementContent(int index) { exists(any(TupleNode tn).getElement(index)) } or
+  /** An element of a dictionary under a specific key. */
+  TDictionaryElementContent(string key) {
+    key = any(KeyValuePair kvp).getKey().(StrConst).getS()
+    or
+    key = any(Keyword kw).getArg()
+  } or
+  /** An element of a dictionary at any key. */
+  TDictionaryElementAnyContent()
+
+class Content extends TContent {
+  /** Gets a textual representation of this element. */
+  string toString() { result = "Content" }
+}
+
+class ListElementContent extends TListElementContent, Content {
+  /** Gets a textual representation of this element. */
+  override string toString() { result = "List element" }
+}
+
+class SetElementContent extends TSetElementContent, Content {
+  /** Gets a textual representation of this element. */
+  override string toString() { result = "Set element" }
+}
+
+class TupleElementContent extends TTupleElementContent, Content {
+  int index;
+
+  TupleElementContent() { this = TTupleElementContent(index) }
+
+  /** Gets the index for this tuple element */
+  int getIndex() { result = index }
+
+  /** Gets a textual representation of this element. */
+  override string toString() { result = "Tuple element at index " + index.toString() }
+}
+
+class DictionaryElementContent extends TDictionaryElementContent, Content {
+  string key;
+
+  DictionaryElementContent() { this = TDictionaryElementContent(key) }
+
+  /** Gets the index for this tuple element */
+  string getKey() { result = key }
+
+  /** Gets a textual representation of this element. */
+  override string toString() { result = "Dictionary element at key " + key }
+}
+
+class DictionaryElementAnyContent extends TDictionaryElementAnyContent, Content {
+  /** Gets a textual representation of this element. */
+  override string toString() { result = "Any dictionary element" }
 }
--- a/python/ql/test/experimental/dataflow/consistency/dataflow-consistency.expected
+++ b/python/ql/test/experimental/dataflow/consistency/dataflow-consistency.expected
@@ -88,6 +88,8 @@ uniquePostUpdate
 postIsInSameCallable
 reverseRead
 storeIsPostUpdate
+| test.py:152:9:152:16 | ControlFlowNode for List | Store targets should be PostUpdateNodes. |
+| test.py:153:9:153:24 | ControlFlowNode for Dict | Store targets should be PostUpdateNodes. |
 argHasPostUpdate
 | test.py:25:10:25:10 | ControlFlowNode for t | ArgumentNode is missing PostUpdateNode. |
 | test.py:29:10:29:10 | ControlFlowNode for t | ArgumentNode is missing PostUpdateNode. |
--- a/python/ql/test/experimental/dataflow/coverage/dataflow.expected
+++ b/python/ql/test/experimental/dataflow/coverage/dataflow.expected
@@ -68,15 +68,69 @@ edges
 | datamodel.py:107:18:107:31 | GSSA Variable c | datamodel.py:107:6:107:32 | ControlFlowNode for Attribute() |
 | datamodel.py:107:18:107:31 | GSSA Variable c | datamodel.py:119:6:119:30 | ControlFlowNode for Attribute() |
 | datamodel.py:119:18:119:29 | GSSA Variable SOURCE | datamodel.py:119:6:119:30 | ControlFlowNode for Attribute() |
+| test.py:32:10:32:26 | ControlFlowNode for Tuple [Tuple element at index 1] | test.py:33:9:33:9 | ControlFlowNode for x [Tuple element at index 1] |
+| test.py:32:21:32:26 | ControlFlowNode for SOURCE | test.py:32:10:32:26 | ControlFlowNode for Tuple [Tuple element at index 1] |
+| test.py:33:9:33:9 | ControlFlowNode for x [Tuple element at index 1] | test.py:33:9:33:12 | ControlFlowNode for Subscript |
+| test.py:33:9:33:12 | ControlFlowNode for Subscript | test.py:34:10:34:10 | ControlFlowNode for y |
 | test.py:43:9:43:14 | ControlFlowNode for SOURCE | test.py:44:10:44:10 | ControlFlowNode for x |
 | test.py:48:9:48:16 | ControlFlowNode for Str | test.py:49:10:49:10 | ControlFlowNode for x |
 | test.py:52:9:52:17 | ControlFlowNode for Str | test.py:53:10:53:10 | ControlFlowNode for x |
 | test.py:56:9:56:10 | ControlFlowNode for IntegerLiteral | test.py:57:10:57:10 | ControlFlowNode for x |
 | test.py:60:9:60:12 | ControlFlowNode for FloatLiteral | test.py:61:10:61:10 | ControlFlowNode for x |
 | test.py:69:10:69:15 | ControlFlowNode for SOURCE | test.py:70:10:70:10 | ControlFlowNode for x |
-| test.py:246:28:246:33 | ControlFlowNode for SOURCE | test.py:246:10:246:34 | ControlFlowNode for second() |
-| test.py:305:12:305:17 | ControlFlowNode for SOURCE | test.py:305:10:305:18 | ControlFlowNode for f() |
-| test.py:309:28:309:33 | ControlFlowNode for SOURCE | test.py:309:10:309:34 | ControlFlowNode for second() |
+| test.py:74:9:74:16 | ControlFlowNode for List [List element] | test.py:75:10:75:10 | ControlFlowNode for x [List element] |
+| test.py:74:10:74:15 | ControlFlowNode for SOURCE | test.py:74:9:74:16 | ControlFlowNode for List [List element] |
+| test.py:75:10:75:10 | ControlFlowNode for x [List element] | test.py:75:10:75:13 | ControlFlowNode for Subscript |
+| test.py:82:9:82:37 | ControlFlowNode for ListComp [List element] | test.py:83:10:83:10 | ControlFlowNode for x [List element] |
+| test.py:82:10:82:15 | ControlFlowNode for SOURCE | test.py:82:9:82:37 | ControlFlowNode for ListComp [List element] |
+| test.py:83:10:83:10 | ControlFlowNode for x [List element] | test.py:83:10:83:13 | ControlFlowNode for Subscript |
+| test.py:86:9:86:29 | ControlFlowNode for ListComp [List element] | test.py:87:10:87:10 | ControlFlowNode for x [List element] |
+| test.py:86:10:86:10 | ControlFlowNode for y | test.py:86:9:86:29 | ControlFlowNode for ListComp [List element] |
+| test.py:86:16:86:16 | SSA variable y | test.py:86:10:86:10 | ControlFlowNode for y |
+| test.py:86:21:86:28 | ControlFlowNode for List [List element] | test.py:86:16:86:16 | SSA variable y |
+| test.py:86:22:86:27 | ControlFlowNode for SOURCE | test.py:86:21:86:28 | ControlFlowNode for List [List element] |
+| test.py:87:10:87:10 | ControlFlowNode for x [List element] | test.py:87:10:87:13 | ControlFlowNode for Subscript |
+| test.py:90:9:90:16 | ControlFlowNode for List [List element] | test.py:91:21:91:21 | ControlFlowNode for l [List element] |
+| test.py:90:10:90:15 | ControlFlowNode for SOURCE | test.py:90:9:90:16 | ControlFlowNode for List [List element] |
+| test.py:91:9:91:22 | ControlFlowNode for ListComp [List element] | test.py:92:10:92:10 | ControlFlowNode for x [List element] |
+| test.py:91:10:91:10 | ControlFlowNode for y | test.py:91:9:91:22 | ControlFlowNode for ListComp [List element] |
+| test.py:91:16:91:16 | SSA variable y | test.py:91:10:91:10 | ControlFlowNode for y |
+| test.py:91:21:91:21 | ControlFlowNode for l [List element] | test.py:91:16:91:16 | SSA variable y |
+| test.py:92:10:92:10 | ControlFlowNode for x [List element] | test.py:92:10:92:13 | ControlFlowNode for Subscript |
+| test.py:100:9:100:16 | ControlFlowNode for Set [List element] | test.py:101:10:101:10 | ControlFlowNode for x [List element] |
+| test.py:100:10:100:15 | ControlFlowNode for SOURCE | test.py:100:9:100:16 | ControlFlowNode for Set [List element] |
+| test.py:101:10:101:10 | ControlFlowNode for x [List element] | test.py:101:10:101:16 | ControlFlowNode for Attribute() |
+| test.py:104:9:104:37 | ControlFlowNode for SetComp [Set element] | test.py:105:10:105:10 | ControlFlowNode for x [Set element] |
+| test.py:104:10:104:15 | ControlFlowNode for SOURCE | test.py:104:9:104:37 | ControlFlowNode for SetComp [Set element] |
+| test.py:105:10:105:10 | ControlFlowNode for x [Set element] | test.py:105:10:105:16 | ControlFlowNode for Attribute() |
+| test.py:108:9:108:29 | ControlFlowNode for SetComp [Set element] | test.py:109:10:109:10 | ControlFlowNode for x [Set element] |
+| test.py:108:10:108:10 | ControlFlowNode for y | test.py:108:9:108:29 | ControlFlowNode for SetComp [Set element] |
+| test.py:108:16:108:16 | SSA variable y | test.py:108:10:108:10 | ControlFlowNode for y |
+| test.py:108:21:108:28 | ControlFlowNode for List [List element] | test.py:108:16:108:16 | SSA variable y |
+| test.py:108:22:108:27 | ControlFlowNode for SOURCE | test.py:108:21:108:28 | ControlFlowNode for List [List element] |
+| test.py:109:10:109:10 | ControlFlowNode for x [Set element] | test.py:109:10:109:16 | ControlFlowNode for Attribute() |
+| test.py:112:9:112:16 | ControlFlowNode for Set [List element] | test.py:113:21:113:21 | ControlFlowNode for l [List element] |
+| test.py:112:10:112:15 | ControlFlowNode for SOURCE | test.py:112:9:112:16 | ControlFlowNode for Set [List element] |
+| test.py:113:9:113:22 | ControlFlowNode for SetComp [Set element] | test.py:114:10:114:10 | ControlFlowNode for x [Set element] |
+| test.py:113:10:113:10 | ControlFlowNode for y | test.py:113:9:113:22 | ControlFlowNode for SetComp [Set element] |
+| test.py:113:16:113:16 | SSA variable y | test.py:113:10:113:10 | ControlFlowNode for y |
+| test.py:113:21:113:21 | ControlFlowNode for l [List element] | test.py:113:16:113:16 | SSA variable y |
+| test.py:114:10:114:10 | ControlFlowNode for x [Set element] | test.py:114:10:114:16 | ControlFlowNode for Attribute() |
+| test.py:122:9:122:21 | ControlFlowNode for Dict [Dictionary element at key s] | test.py:123:10:123:10 | ControlFlowNode for x [Dictionary element at key s] |
+| test.py:122:15:122:20 | ControlFlowNode for SOURCE | test.py:122:9:122:21 | ControlFlowNode for Dict [Dictionary element at key s] |
+| test.py:123:10:123:10 | ControlFlowNode for x [Dictionary element at key s] | test.py:123:10:123:15 | ControlFlowNode for Subscript |
+| test.py:126:9:126:21 | ControlFlowNode for Dict [Dictionary element at key s] | test.py:127:10:127:10 | ControlFlowNode for x [Dictionary element at key s] |
+| test.py:126:15:126:20 | ControlFlowNode for SOURCE | test.py:126:9:126:21 | ControlFlowNode for Dict [Dictionary element at key s] |
+| test.py:127:10:127:10 | ControlFlowNode for x [Dictionary element at key s] | test.py:127:10:127:19 | ControlFlowNode for Attribute() |
+| test.py:252:11:252:16 | ControlFlowNode for SOURCE | test.py:252:11:252:17 | ControlFlowNode for Tuple [Tuple element at index 0] |
+| test.py:252:11:252:17 | ControlFlowNode for Tuple [Tuple element at index 0] | test.py:252:10:252:21 | ControlFlowNode for Subscript |
+| test.py:255:10:255:17 | ControlFlowNode for List [List element] | test.py:255:10:255:20 | ControlFlowNode for Subscript |
+| test.py:255:11:255:16 | ControlFlowNode for SOURCE | test.py:255:10:255:17 | ControlFlowNode for List [List element] |
+| test.py:258:10:258:21 | ControlFlowNode for Dict [Dictionary element at key s] | test.py:258:10:258:26 | ControlFlowNode for Subscript |
+| test.py:258:15:258:20 | ControlFlowNode for SOURCE | test.py:258:10:258:21 | ControlFlowNode for Dict [Dictionary element at key s] |
+| test.py:276:28:276:33 | ControlFlowNode for SOURCE | test.py:276:10:276:34 | ControlFlowNode for second() |
+| test.py:335:12:335:17 | ControlFlowNode for SOURCE | test.py:335:10:335:18 | ControlFlowNode for f() |
+| test.py:339:28:339:33 | ControlFlowNode for SOURCE | test.py:339:10:339:34 | ControlFlowNode for second() |
 nodes
 | datamodel.py:13:1:13:6 | GSSA Variable SOURCE | semmle.label | GSSA Variable SOURCE |
 | datamodel.py:13:10:13:17 | ControlFlowNode for Str | semmle.label | ControlFlowNode for Str |
@@ -120,6 +174,11 @@ nodes
 | datamodel.py:107:18:107:31 | GSSA Variable c | semmle.label | GSSA Variable c |
 | datamodel.py:119:6:119:30 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
 | datamodel.py:119:18:119:29 | GSSA Variable SOURCE | semmle.label | GSSA Variable SOURCE |
+| test.py:32:10:32:26 | ControlFlowNode for Tuple [Tuple element at index 1] | semmle.label | ControlFlowNode for Tuple [Tuple element at index 1] |
+| test.py:32:21:32:26 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
+| test.py:33:9:33:9 | ControlFlowNode for x [Tuple element at index 1] | semmle.label | ControlFlowNode for x [Tuple element at index 1] |
+| test.py:33:9:33:12 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| test.py:34:10:34:10 | ControlFlowNode for y | semmle.label | ControlFlowNode for y |
 | test.py:43:9:43:14 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
 | test.py:44:10:44:10 | ControlFlowNode for x | semmle.label | ControlFlowNode for x |
 | test.py:48:9:48:16 | ControlFlowNode for Str | semmle.label | ControlFlowNode for Str |
@@ -132,12 +191,75 @@ nodes
 | test.py:61:10:61:10 | ControlFlowNode for x | semmle.label | ControlFlowNode for x |
 | test.py:69:10:69:15 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
 | test.py:70:10:70:10 | ControlFlowNode for x | semmle.label | ControlFlowNode for x |
-| test.py:246:10:246:34 | ControlFlowNode for second() | semmle.label | ControlFlowNode for second() |
-| test.py:246:28:246:33 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
-| test.py:305:10:305:18 | ControlFlowNode for f() | semmle.label | ControlFlowNode for f() |
-| test.py:305:12:305:17 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
-| test.py:309:10:309:34 | ControlFlowNode for second() | semmle.label | ControlFlowNode for second() |
-| test.py:309:28:309:33 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
+| test.py:74:9:74:16 | ControlFlowNode for List [List element] | semmle.label | ControlFlowNode for List [List element] |
+| test.py:74:10:74:15 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
+| test.py:75:10:75:10 | ControlFlowNode for x [List element] | semmle.label | ControlFlowNode for x [List element] |
+| test.py:75:10:75:13 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| test.py:82:9:82:37 | ControlFlowNode for ListComp [List element] | semmle.label | ControlFlowNode for ListComp [List element] |
+| test.py:82:10:82:15 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
+| test.py:83:10:83:10 | ControlFlowNode for x [List element] | semmle.label | ControlFlowNode for x [List element] |
+| test.py:83:10:83:13 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| test.py:86:9:86:29 | ControlFlowNode for ListComp [List element] | semmle.label | ControlFlowNode for ListComp [List element] |
+| test.py:86:10:86:10 | ControlFlowNode for y | semmle.label | ControlFlowNode for y |
+| test.py:86:16:86:16 | SSA variable y | semmle.label | SSA variable y |
+| test.py:86:21:86:28 | ControlFlowNode for List [List element] | semmle.label | ControlFlowNode for List [List element] |
+| test.py:86:22:86:27 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
+| test.py:87:10:87:10 | ControlFlowNode for x [List element] | semmle.label | ControlFlowNode for x [List element] |
+| test.py:87:10:87:13 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| test.py:90:9:90:16 | ControlFlowNode for List [List element] | semmle.label | ControlFlowNode for List [List element] |
+| test.py:90:10:90:15 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
+| test.py:91:9:91:22 | ControlFlowNode for ListComp [List element] | semmle.label | ControlFlowNode for ListComp [List element] |
+| test.py:91:10:91:10 | ControlFlowNode for y | semmle.label | ControlFlowNode for y |
+| test.py:91:16:91:16 | SSA variable y | semmle.label | SSA variable y |
+| test.py:91:21:91:21 | ControlFlowNode for l [List element] | semmle.label | ControlFlowNode for l [List element] |
+| test.py:92:10:92:10 | ControlFlowNode for x [List element] | semmle.label | ControlFlowNode for x [List element] |
+| test.py:92:10:92:13 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| test.py:100:9:100:16 | ControlFlowNode for Set [List element] | semmle.label | ControlFlowNode for Set [List element] |
+| test.py:100:10:100:15 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
+| test.py:101:10:101:10 | ControlFlowNode for x [List element] | semmle.label | ControlFlowNode for x [List element] |
+| test.py:101:10:101:16 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| test.py:104:9:104:37 | ControlFlowNode for SetComp [Set element] | semmle.label | ControlFlowNode for SetComp [Set element] |
+| test.py:104:10:104:15 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
+| test.py:105:10:105:10 | ControlFlowNode for x [Set element] | semmle.label | ControlFlowNode for x [Set element] |
+| test.py:105:10:105:16 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| test.py:108:9:108:29 | ControlFlowNode for SetComp [Set element] | semmle.label | ControlFlowNode for SetComp [Set element] |
+| test.py:108:10:108:10 | ControlFlowNode for y | semmle.label | ControlFlowNode for y |
+| test.py:108:16:108:16 | SSA variable y | semmle.label | SSA variable y |
+| test.py:108:21:108:28 | ControlFlowNode for List [List element] | semmle.label | ControlFlowNode for List [List element] |
+| test.py:108:22:108:27 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
+| test.py:109:10:109:10 | ControlFlowNode for x [Set element] | semmle.label | ControlFlowNode for x [Set element] |
+| test.py:109:10:109:16 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| test.py:112:9:112:16 | ControlFlowNode for Set [List element] | semmle.label | ControlFlowNode for Set [List element] |
+| test.py:112:10:112:15 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
+| test.py:113:9:113:22 | ControlFlowNode for SetComp [Set element] | semmle.label | ControlFlowNode for SetComp [Set element] |
+| test.py:113:10:113:10 | ControlFlowNode for y | semmle.label | ControlFlowNode for y |
+| test.py:113:16:113:16 | SSA variable y | semmle.label | SSA variable y |
+| test.py:113:21:113:21 | ControlFlowNode for l [List element] | semmle.label | ControlFlowNode for l [List element] |
+| test.py:114:10:114:10 | ControlFlowNode for x [Set element] | semmle.label | ControlFlowNode for x [Set element] |
+| test.py:114:10:114:16 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| test.py:122:9:122:21 | ControlFlowNode for Dict [Dictionary element at key s] | semmle.label | ControlFlowNode for Dict [Dictionary element at key s] |
+| test.py:122:15:122:20 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
+| test.py:123:10:123:10 | ControlFlowNode for x [Dictionary element at key s] | semmle.label | ControlFlowNode for x [Dictionary element at key s] |
+| test.py:123:10:123:15 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| test.py:126:9:126:21 | ControlFlowNode for Dict [Dictionary element at key s] | semmle.label | ControlFlowNode for Dict [Dictionary element at key s] |
+| test.py:126:15:126:20 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
+| test.py:127:10:127:10 | ControlFlowNode for x [Dictionary element at key s] | semmle.label | ControlFlowNode for x [Dictionary element at key s] |
+| test.py:127:10:127:19 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| test.py:252:10:252:21 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| test.py:252:11:252:16 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
+| test.py:252:11:252:17 | ControlFlowNode for Tuple [Tuple element at index 0] | semmle.label | ControlFlowNode for Tuple [Tuple element at index 0] |
+| test.py:255:10:255:17 | ControlFlowNode for List [List element] | semmle.label | ControlFlowNode for List [List element] |
+| test.py:255:10:255:20 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| test.py:255:11:255:16 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
+| test.py:258:10:258:21 | ControlFlowNode for Dict [Dictionary element at key s] | semmle.label | ControlFlowNode for Dict [Dictionary element at key s] |
+| test.py:258:10:258:26 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| test.py:258:15:258:20 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
+| test.py:276:10:276:34 | ControlFlowNode for second() | semmle.label | ControlFlowNode for second() |
+| test.py:276:28:276:33 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
+| test.py:335:10:335:18 | ControlFlowNode for f() | semmle.label | ControlFlowNode for f() |
+| test.py:335:12:335:17 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
+| test.py:339:10:339:34 | ControlFlowNode for second() | semmle.label | ControlFlowNode for second() |
+| test.py:339:28:339:33 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
 #select
 | datamodel.py:38:6:38:17 | ControlFlowNode for f() | datamodel.py:13:10:13:17 | ControlFlowNode for Str | datamodel.py:38:6:38:17 | ControlFlowNode for f() | <message> |
 | datamodel.py:38:6:38:17 | ControlFlowNode for f() | datamodel.py:38:8:38:13 | ControlFlowNode for SOURCE | datamodel.py:38:6:38:17 | ControlFlowNode for f() | <message> |
@@ -156,12 +278,26 @@ nodes
 | datamodel.py:106:6:106:30 | ControlFlowNode for Attribute() | datamodel.py:13:10:13:17 | ControlFlowNode for Str | datamodel.py:106:6:106:30 | ControlFlowNode for Attribute() | <message> |
 | datamodel.py:107:6:107:32 | ControlFlowNode for Attribute() | datamodel.py:13:10:13:17 | ControlFlowNode for Str | datamodel.py:107:6:107:32 | ControlFlowNode for Attribute() | <message> |
 | datamodel.py:119:6:119:30 | ControlFlowNode for Attribute() | datamodel.py:13:10:13:17 | ControlFlowNode for Str | datamodel.py:119:6:119:30 | ControlFlowNode for Attribute() | <message> |
+| test.py:34:10:34:10 | ControlFlowNode for y | test.py:32:21:32:26 | ControlFlowNode for SOURCE | test.py:34:10:34:10 | ControlFlowNode for y | <message> |
 | test.py:44:10:44:10 | ControlFlowNode for x | test.py:43:9:43:14 | ControlFlowNode for SOURCE | test.py:44:10:44:10 | ControlFlowNode for x | <message> |
 | test.py:49:10:49:10 | ControlFlowNode for x | test.py:48:9:48:16 | ControlFlowNode for Str | test.py:49:10:49:10 | ControlFlowNode for x | <message> |
 | test.py:53:10:53:10 | ControlFlowNode for x | test.py:52:9:52:17 | ControlFlowNode for Str | test.py:53:10:53:10 | ControlFlowNode for x | <message> |
 | test.py:57:10:57:10 | ControlFlowNode for x | test.py:56:9:56:10 | ControlFlowNode for IntegerLiteral | test.py:57:10:57:10 | ControlFlowNode for x | <message> |
 | test.py:61:10:61:10 | ControlFlowNode for x | test.py:60:9:60:12 | ControlFlowNode for FloatLiteral | test.py:61:10:61:10 | ControlFlowNode for x | <message> |
 | test.py:70:10:70:10 | ControlFlowNode for x | test.py:69:10:69:15 | ControlFlowNode for SOURCE | test.py:70:10:70:10 | ControlFlowNode for x | <message> |
-| test.py:246:10:246:34 | ControlFlowNode for second() | test.py:246:28:246:33 | ControlFlowNode for SOURCE | test.py:246:10:246:34 | ControlFlowNode for second() | <message> |
-| test.py:305:10:305:18 | ControlFlowNode for f() | test.py:305:12:305:17 | ControlFlowNode for SOURCE | test.py:305:10:305:18 | ControlFlowNode for f() | <message> |
-| test.py:309:10:309:34 | ControlFlowNode for second() | test.py:309:28:309:33 | ControlFlowNode for SOURCE | test.py:309:10:309:34 | ControlFlowNode for second() | <message> |
+| test.py:75:10:75:13 | ControlFlowNode for Subscript | test.py:74:10:74:15 | ControlFlowNode for SOURCE | test.py:75:10:75:13 | ControlFlowNode for Subscript | <message> |
+| test.py:83:10:83:13 | ControlFlowNode for Subscript | test.py:82:10:82:15 | ControlFlowNode for SOURCE | test.py:83:10:83:13 | ControlFlowNode for Subscript | <message> |
+| test.py:87:10:87:13 | ControlFlowNode for Subscript | test.py:86:22:86:27 | ControlFlowNode for SOURCE | test.py:87:10:87:13 | ControlFlowNode for Subscript | <message> |
+| test.py:92:10:92:13 | ControlFlowNode for Subscript | test.py:90:10:90:15 | ControlFlowNode for SOURCE | test.py:92:10:92:13 | ControlFlowNode for Subscript | <message> |
+| test.py:101:10:101:16 | ControlFlowNode for Attribute() | test.py:100:10:100:15 | ControlFlowNode for SOURCE | test.py:101:10:101:16 | ControlFlowNode for Attribute() | <message> |
+| test.py:105:10:105:16 | ControlFlowNode for Attribute() | test.py:104:10:104:15 | ControlFlowNode for SOURCE | test.py:105:10:105:16 | ControlFlowNode for Attribute() | <message> |
+| test.py:109:10:109:16 | ControlFlowNode for Attribute() | test.py:108:22:108:27 | ControlFlowNode for SOURCE | test.py:109:10:109:16 | ControlFlowNode for Attribute() | <message> |
+| test.py:114:10:114:16 | ControlFlowNode for Attribute() | test.py:112:10:112:15 | ControlFlowNode for SOURCE | test.py:114:10:114:16 | ControlFlowNode for Attribute() | <message> |
+| test.py:123:10:123:15 | ControlFlowNode for Subscript | test.py:122:15:122:20 | ControlFlowNode for SOURCE | test.py:123:10:123:15 | ControlFlowNode for Subscript | <message> |
+| test.py:127:10:127:19 | ControlFlowNode for Attribute() | test.py:126:15:126:20 | ControlFlowNode for SOURCE | test.py:127:10:127:19 | ControlFlowNode for Attribute() | <message> |
+| test.py:252:10:252:21 | ControlFlowNode for Subscript | test.py:252:11:252:16 | ControlFlowNode for SOURCE | test.py:252:10:252:21 | ControlFlowNode for Subscript | <message> |
+| test.py:255:10:255:20 | ControlFlowNode for Subscript | test.py:255:11:255:16 | ControlFlowNode for SOURCE | test.py:255:10:255:20 | ControlFlowNode for Subscript | <message> |
+| test.py:258:10:258:26 | ControlFlowNode for Subscript | test.py:258:15:258:20 | ControlFlowNode for SOURCE | test.py:258:10:258:26 | ControlFlowNode for Subscript | <message> |
+| test.py:276:10:276:34 | ControlFlowNode for second() | test.py:276:28:276:33 | ControlFlowNode for SOURCE | test.py:276:10:276:34 | ControlFlowNode for second() | <message> |
+| test.py:335:10:335:18 | ControlFlowNode for f() | test.py:335:12:335:17 | ControlFlowNode for SOURCE | test.py:335:10:335:18 | ControlFlowNode for f() | <message> |
+| test.py:339:10:339:34 | ControlFlowNode for second() | test.py:339:28:339:33 | ControlFlowNode for SOURCE | test.py:339:10:339:34 | ControlFlowNode for second() | <message> |
--- a/python/ql/test/experimental/dataflow/coverage/test.py
+++ b/python/ql/test/experimental/dataflow/coverage/test.py
@@ -31,7 +31,7 @@ def SINK_F(x):
 def test_tuple_with_local_flow():
    x = (NONSOURCE, SOURCE)
    y = x[1]
-    SINK(y) # Flow missing
+    SINK(y)

 def test_tuple_negative():
    x = (NONSOURCE, SOURCE)
@@ -72,7 +72,7 @@ def test_parenthesized_form():
 # 6.2.5. List displays
 def test_list_display():
    x = [SOURCE]
-    SINK(x[0]) # Flow missing
+    SINK(x[0])

 def test_list_display_negative():
    x = [SOURCE]
@@ -80,7 +80,16 @@ def test_list_display_negative():

 def test_list_comprehension():
    x = [SOURCE for y in [NONSOURCE]]
-    SINK(x[0]) # Flow missing
+    SINK(x[0])
+
+def test_list_comprehension_flow():
+    x = [y for y in [SOURCE]]
+    SINK(x[0])
+
+def test_list_comprehension_inflow():
+    l = [SOURCE]
+    x = [y for y in l]
+    SINK(x[0])

 def test_nested_list_display():
    x = [* [SOURCE]]
@@ -89,11 +98,20 @@ def test_nested_list_display():
 # 6.2.6. Set displays
 def test_set_display():
    x = {SOURCE}
-    SINK(x.pop()) # Flow missing
+    SINK(x.pop())

 def test_set_comprehension():
    x = {SOURCE for y in [NONSOURCE]}
-    SINK(x.pop()) # Flow missing
+    SINK(x.pop())
+
+def test_set_comprehension_flow():
+    x = {y for y in [SOURCE]}
+    SINK(x.pop())
+
+def test_set_comprehension_inflow():
+    l = {SOURCE}
+    x = {y for y in l}
+    SINK(x.pop())

 def test_nested_set_display():
    x = {* {SOURCE}}
@@ -102,16 +120,28 @@ def test_nested_set_display():
 # 6.2.7. Dictionary displays
 def test_dict_display():
    x = {"s": SOURCE}
-    SINK(x["s"]) # Flow missing
+    SINK(x["s"])
+
+def test_dict_display_pop():
+    x = {"s": SOURCE}
+    SINK(x.pop("s"))

 def test_dict_comprehension():
    x = {y: SOURCE for y in ["s"]}
    SINK(x["s"]) # Flow missing

+def test_dict_comprehension_pop():
+    x = {y: SOURCE for y in ["s"]}
+    SINK(x.pop("s")) # Flow missing
+
 def test_nested_dict_display():
    x = {** {"s": SOURCE}}
    SINK(x["s"]) # Flow missing

+def test_nested_dict_display_pop():
+    x = {** {"s": SOURCE}}
+    SINK(x.pop("s")) # Flow missing
+
 # 6.2.8. Generator expressions
 def test_generator():
    x = (SOURCE for y in [NONSOURCE])
@@ -219,13 +249,13 @@ def test_attribute_reference():

 # 6.3.2. Subscriptions
 def test_subscription_tuple():
-    SINK((SOURCE,)[0]) # Flow missing
+    SINK((SOURCE,)[0])

 def test_subscription_list():
-    SINK([SOURCE][0]) # Flow missing
+    SINK([SOURCE][0])

 def test_subscription_mapping():
-    SINK({"s":SOURCE}["s"]) # Flow missing
+    SINK({"s":SOURCE}["s"])

 # overriding __getitem__ should be tested by the class coverage tests