Python: Remove points-to from SSA.ql

Happily, this was not as deeply entwined as it looked at first glance.
2025-12-16 08:43:11 +01:00 · 2025-11-26 13:55:20 +00:00
parent 5b47fcbfa4
commit b9a5b3b628
2 changed files with 89 additions and 85 deletions
--- a/python/ql/lib/LegacyPointsTo.qll
+++ b/python/ql/lib/LegacyPointsTo.qll
@@ -340,3 +340,91 @@ Object getLiteralObject(ImmutableLiteral l) {
  name_consts(l, "None") and
  result = theNoneObject()
 }
+
+private predicate gettext_installed() {
+  // Good enough (and fast) approximation
+  exists(Module m | m.getName() = "gettext")
+}
+
+private predicate builtin_constant(string name) {
+  exists(Object::builtin(name))
+  or
+  name = "WindowsError"
+  or
+  name = "_" and gettext_installed()
+}
+
+/** Whether this name is (almost) always defined, ie. it is a builtin or VM defined name */
+predicate globallyDefinedName(string name) { builtin_constant(name) or auto_name(name) }
+
+private predicate auto_name(string name) {
+  name = "__file__" or name = "__builtins__" or name = "__name__"
+}
+
+/** An extension of `SsaVariable` that provides points-to related methods. */
+class SsaVariableWithPointsTo extends SsaVariable {
+  /** Gets an argument of the phi function defining this variable, pruned of unlikely edges. */
+  SsaVariable getAPrunedPhiInput() {
+    result = this.getAPhiInput() and
+    exists(BasicBlock incoming | incoming = this.getPredecessorBlockForPhiArgument(result) |
+      not incoming.getLastNode().(RaisingNode).unlikelySuccessor(this.getDefinition())
+    )
+  }
+
+  /** Gets the incoming edges for a Phi node, pruned of unlikely edges. */
+  private BasicBlockWithPointsTo getAPrunedPredecessorBlockForPhi() {
+    result = this.getAPredecessorBlockForPhi() and
+    not result.unlikelySuccessor(this.getDefinition().getBasicBlock())
+  }
+
+  private predicate implicitlyDefined() {
+    not exists(this.getDefinition()) and
+    not py_ssa_phi(this, _) and
+    exists(GlobalVariable var | this.getVariable() = var |
+      globallyDefinedName(var.getId())
+      or
+      var.getId() = "__path__" and var.getScope().(Module).isPackageInit()
+    )
+  }
+
+  /** Whether this variable may be undefined */
+  predicate maybeUndefined() {
+    not exists(this.getDefinition()) and not py_ssa_phi(this, _) and not this.implicitlyDefined()
+    or
+    this.getDefinition().isDelete()
+    or
+    exists(SsaVariableWithPointsTo var | var = this.getAPrunedPhiInput() | var.maybeUndefined())
+    or
+    /*
+     * For phi-nodes, there must be a corresponding phi-input for each control-flow
+     * predecessor. Otherwise, the variable will be undefined on that incoming edge.
+     * WARNING: the same phi-input may cover multiple predecessors, so this check
+     *          cannot be done by counting.
+     */
+
+    exists(BasicBlock incoming |
+      reaches_end(incoming) and
+      incoming = this.getAPrunedPredecessorBlockForPhi() and
+      not this.getAPhiInput().getDefinition().getBasicBlock().dominates(incoming)
+    )
+  }
+
+  override string getAQlClass() { none() }
+}
+
+private predicate reaches_end(BasicBlock b) {
+  not exits_early(b) and
+  (
+    /* Entry point */
+    not exists(BasicBlock prev | prev.getASuccessor() = b)
+    or
+    exists(BasicBlock prev | prev.getASuccessor() = b | reaches_end(prev))
+  )
+}
+
+private predicate exits_early(BasicBlock b) {
+  exists(FunctionObject f |
+    f.neverReturns() and
+    f.getACall().getBasicBlock() = b
+  )
+}
--- a/python/ql/lib/semmle/python/SSA.qll
+++ b/python/ql/lib/semmle/python/SSA.qll
@@ -1,7 +1,6 @@
 /** SSA library */

 import python
-private import LegacyPointsTo

 /**
 * A single static assignment variable.
@@ -62,14 +61,6 @@ class SsaVariable extends @py_ssa_var {
    )
  }

-  /** Gets an argument of the phi function defining this variable, pruned of unlikely edges. */
-  SsaVariable getAPrunedPhiInput() {
-    result = this.getAPhiInput() and
-    exists(BasicBlock incoming | incoming = this.getPredecessorBlockForPhiArgument(result) |
-      not incoming.getLastNode().(RaisingNode).unlikelySuccessor(this.getDefinition())
-    )
-  }
-
  /** Gets a variable that ultimately defines this variable and is not itself defined by another variable */
  SsaVariable getAnUltimateDefinition() {
    result = this and not exists(this.getAPhiInput())
@@ -86,17 +77,11 @@ class SsaVariable extends @py_ssa_var {
  string getId() { result = this.getVariable().getId() }

  /** Gets the incoming edges for a Phi node. */
-  private BasicBlock getAPredecessorBlockForPhi() {
+  BasicBlock getAPredecessorBlockForPhi() {
    exists(this.getAPhiInput()) and
    result.getASuccessor() = this.getDefinition().getBasicBlock()
  }

-  /** Gets the incoming edges for a Phi node, pruned of unlikely edges. */
-  private BasicBlockWithPointsTo getAPrunedPredecessorBlockForPhi() {
-    result = this.getAPredecessorBlockForPhi() and
-    not result.unlikelySuccessor(this.getDefinition().getBasicBlock())
-  }
-
  /** Whether it is possible to reach a use of this variable without passing a definition */
  predicate reachableWithoutDefinition() {
    not exists(this.getDefinition()) and not py_ssa_phi(this, _)
@@ -116,38 +101,6 @@ class SsaVariable extends @py_ssa_var {
    )
  }

-  /** Whether this variable may be undefined */
-  predicate maybeUndefined() {
-    not exists(this.getDefinition()) and not py_ssa_phi(this, _) and not this.implicitlyDefined()
-    or
-    this.getDefinition().isDelete()
-    or
-    exists(SsaVariable var | var = this.getAPrunedPhiInput() | var.maybeUndefined())
-    or
-    /*
-     * For phi-nodes, there must be a corresponding phi-input for each control-flow
-     * predecessor. Otherwise, the variable will be undefined on that incoming edge.
-     * WARNING: the same phi-input may cover multiple predecessors, so this check
-     *          cannot be done by counting.
-     */
-
-    exists(BasicBlock incoming |
-      reaches_end(incoming) and
-      incoming = this.getAPrunedPredecessorBlockForPhi() and
-      not this.getAPhiInput().getDefinition().getBasicBlock().dominates(incoming)
-    )
-  }
-
-  private predicate implicitlyDefined() {
-    not exists(this.getDefinition()) and
-    not py_ssa_phi(this, _) and
-    exists(GlobalVariable var | this.getVariable() = var |
-      globallyDefinedName(var.getId())
-      or
-      var.getId() = "__path__" and var.getScope().(Module).isPackageInit()
-    )
-  }
-
  /**
   * Gets the global variable that is accessed if this local is undefined.
   *  Only applies to local variables in class scopes.
@@ -174,43 +127,6 @@ class SsaVariable extends @py_ssa_var {
  }
 }

-private predicate reaches_end(BasicBlock b) {
-  not exits_early(b) and
-  (
-    /* Entry point */
-    not exists(BasicBlock prev | prev.getASuccessor() = b)
-    or
-    exists(BasicBlock prev | prev.getASuccessor() = b | reaches_end(prev))
-  )
-}
-
-private predicate exits_early(BasicBlock b) {
-  exists(FunctionObject f |
-    f.neverReturns() and
-    f.getACall().getBasicBlock() = b
-  )
-}
-
-private predicate gettext_installed() {
-  // Good enough (and fast) approximation
-  exists(Module m | m.getName() = "gettext")
-}
-
-private predicate builtin_constant(string name) {
-  exists(Object::builtin(name))
-  or
-  name = "WindowsError"
-  or
-  name = "_" and gettext_installed()
-}
-
-private predicate auto_name(string name) {
-  name = "__file__" or name = "__builtins__" or name = "__name__"
-}
-
-/** Whether this name is (almost) always defined, ie. it is a builtin or VM defined name */
-predicate globallyDefinedName(string name) { builtin_constant(name) or auto_name(name) }
-
 /** An SSA variable that is backed by a global variable */
 class GlobalSsaVariable extends EssaVariable {
  GlobalSsaVariable() { this.getSourceVariable() instanceof GlobalVariable }