Python points-to: Prevent bad magic on 'refersTo' member predicates.

2025-12-18 01:33:15 +01:00 · 2019-05-31 15:51:37 +01:00
parent 8d4a8a6c6b
commit 6a79e0aaa7
2 changed files with 6 additions and 17 deletions
--- a/python/ql/src/semmle/python/Exprs.qll
+++ b/python/ql/src/semmle/python/Exprs.qll
@@ -85,30 +85,16 @@ class Expr extends Expr_, AstNode {
    /** Gets what this expression might "refer-to" in the given `context`.
     */
    predicate refersTo(Context context, Object obj, ClassObject cls, AstNode origin) {
-        exists(Value value, ControlFlowNode cfgorigin |
-            PointsTo::pointsTo(this.getAFlowNode(), context, value, cfgorigin) and
-            origin.getAFlowNode() = cfgorigin and
-            cls = value.getClass().getSource() |
-            if exists(value.getSource()) then
-                obj = value.getSource()
-            else
-                obj = cfgorigin
-        )
+        this.getAFlowNode().refersTo(context, obj, cls, origin.getAFlowNode())
    }

    /** Whether this expression might "refer-to" to `value` which is from `origin` 
     * Unlike `this.refersTo(value, _, origin)`, this predicate includes results 
     * where the class cannot be inferred.
     */
+    pragma[nomagic]
    predicate refersTo(Object obj, AstNode origin) {
-        exists(Value value, ControlFlowNode cfgorigin |
-            PointsTo::pointsTo(this.getAFlowNode(), _, value, cfgorigin) and
-            origin.getAFlowNode() = cfgorigin and
-            if exists(value.getSource()) then
-                obj = value.getSource()
-            else
-                obj = cfgorigin
-        )
+        this.getAFlowNode().refersTo(obj, origin.getAFlowNode())
    }

    /** Equivalent to `this.refersTo(value, _)` */
--- a/python/ql/src/semmle/python/Flow.qll
+++ b/python/ql/src/semmle/python/Flow.qll
@@ -237,12 +237,14 @@ class ControlFlowNode extends @py_flow_node {
     *  precise, but may not provide information for a significant number of flow-nodes. 
     *  If the class is unimportant then use `refersTo(value)` or `refersTo(value, origin)` instead.
     */
+    pragma [nomagic]
    predicate refersTo(Object obj, ClassObject cls, ControlFlowNode origin) {
        this.refersTo(_, obj, cls, origin)
    }

    /** Gets what this expression might "refer-to" in the given `context`.
     */
+    pragma [nomagic]
    predicate refersTo(Context context, Object obj, ClassObject cls, ControlFlowNode origin) {
        not obj = unknownValue() and
        not cls = theUnknownType() and
@@ -253,6 +255,7 @@ class ControlFlowNode extends @py_flow_node {
     * Unlike `this.refersTo(value, _, origin)` this predicate includes results 
     * where the class cannot be inferred. 
     */
+    pragma [nomagic]
    predicate refersTo(Object obj, ControlFlowNode origin) {
        not obj = unknownValue() and
        PointsTo::points_to(this, _, obj, _, origin)