Python: Fix getAGuardedNode

2025-12-20 10:46:30 +01:00 · 2020-09-14 14:46:15 +02:00
parent 0eb8b6c7b0
commit 543876f980
6 changed files with 62 additions and 11 deletions
--- a/python/ql/src/experimental/dataflow/internal/DataFlowPrivate.qll
+++ b/python/ql/src/experimental/dataflow/internal/DataFlowPrivate.qll
@@ -130,7 +130,7 @@ module EssaFlow {
  }

  predicate useToNextUse(NameNode nodeFrom, NameNode nodeTo) {
-    AdjacentUses::adjacentUseUseSameVar(nodeFrom, nodeTo)
+    AdjacentUses::adjacentUseUse(nodeFrom, nodeTo)
  }

  predicate defToFirstUse(EssaVariable var, NameNode nodeTo) {
--- a/python/ql/src/experimental/dataflow/internal/DataFlowPublic.qll
+++ b/python/ql/src/experimental/dataflow/internal/DataFlowPublic.qll
@@ -5,6 +5,7 @@
 private import python
 private import DataFlowPrivate
 import experimental.dataflow.TypeTracker
+private import semmle.python.essa.SsaCompute

 /**
 * IPA type for data flow nodes.
@@ -176,10 +177,10 @@ class BarrierGuard extends GuardNode {

  /** Gets a node guarded by this guard. */
  final ExprNode getAGuardedNode() {
-    exists(Variable v, NameNode n, boolean testIsTrue |
-      n.uses(v) and
-      this.checks(n, testIsTrue) and
-      result.asCfgNode().(NameNode).uses(v) and
+    exists(EssaDefinition def, ControlFlowNode node, boolean testIsTrue |
+      AdjacentUses::aUse(def, node) and
+      this.checks(node, testIsTrue) and
+      AdjacentUses::aUse(def, result.asCfgNode()) and
      this.controlsNode(result.asCfgNode(), testIsTrue)
    )
  }
--- a/python/ql/src/semmle/python/essa/SsaCompute.qll
+++ b/python/ql/src/semmle/python/essa/SsaCompute.qll
@@ -443,9 +443,28 @@ private module SsaComputeImpl {
      )
    }

+    /**
+     * Holds if `use1` and `use2` form an adjacent use-use-pair of the same
+     * `SsaSourceVariable`, that is, the value read in `use1` can reach `use2`
+     * without passing through any other use or any SSA definition of the variable
+     * except for phi nodes.
+     */
+    cached
+    predicate adjacentUseUse(ControlFlowNode use1, ControlFlowNode use2) {
+      adjacentUseUseSameVar(use1, use2)
+      or
+      exists(SsaSourceVariable v, EssaDefinition def, BasicBlock b1, int i1, BasicBlock b2, int i2 |
+        adjacentVarRefs(v, b1, i1, b2, i2) and
+        variableUse(v, use1, b1, i1) and
+        definesAt(def, v, b2, i2) and
+        firstUse(def, use2) and
+        def instanceof PhiFunction
+      )
+    }
+
    /**
     * Holds if the value defined at `def` can reach `use` without passing through
-     * any other uses, but possibly through phi nodes and uncertain implicit updates.
+     * any other uses, but possibly through phi nodes.
     */
    cached
    predicate firstUse(EssaDefinition def, ControlFlowNode use) {
@@ -482,6 +501,19 @@ private module SsaComputeImpl {
      b = def.(PhiFunction).getBasicBlock() and
      i = -1
    }
+
+    /**
+     * Holds if the value defined at `def` can reach `use`, possibly through phi nodes.
+     */
+    cached
+    predicate aUse(EssaDefinition def, ControlFlowNode use) {
+      firstUse(def, use)
+      or
+      exists(ControlFlowNode firstUse |
+        firstUse(def, firstUse) and
+        adjacentUseUse(firstUse, use)
+      )
+    }
  }
 }