Python: more local flow and more tests

python/ql/src/experimental/dataflow/internal/DataFlowPrivate.qll

@@ -63,6 +63,8 @@ predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo) {
   // nodeFrom is control flow node for `x`
   // nodeTo is SSA variable for `x`
   nodeFrom.asCfgNode() = nodeTo.asEssaNode().(ParameterDefinition).getDefiningNode()
+  or
+  nodeFrom.asEssaNode().getAUse() = nodeTo.asCfgNode()
 }
 
 // TODO: Make modules for these headings
@@ -120,7 +122,8 @@ class ReturnKind extends TReturnKind {
 
 /** A data flow node that represents a value returned by a callable. */
 class ReturnNode extends Node {
-  ReturnNode() { this.asCfgNode().isNormalExit() }
+  // See `TaintTrackingImplementation::returnFlowStep`
+  ReturnNode() { this.asCfgNode() = any(Return r).getValue().getAFlowNode() }
 
   /** Gets the kind of this return node. */
   ReturnKind getKind() { result = TNormalReturnKind() }

python/ql/test/experimental/dataflow/callGraph.ql

@@ -0,0 +1,9 @@
+import callGraphConfig
+
+from
+  DataFlow::Node source,
+  DataFlow::Node sink
+where
+  exists(CallGraphConfig cfg | cfg.hasFlow(source, sink))
+select
+  source, sink

python/ql/test/experimental/dataflow/callGraphConfig.qll

@@ -0,0 +1,16 @@
+import experimental.dataflow.DataFlow
+
+/**
+ * A configuration to find the call graph edges. 
+ */
+class CallGraphConfig extends DataFlow::Configuration {
+  CallGraphConfig() { this = "CallGraphConfig" }
+
+  override predicate isSource(DataFlow::Node node) {
+    node instanceof DataFlow::ReturnNode
+  }
+
+  override predicate isSink(DataFlow::Node node) {
+    node instanceof DataFlow::OutNode
+  }
+}

python/ql/test/experimental/dataflow/callGraphSinks.expected

@@ -0,0 +1 @@
+| test.py:8:5:8:8 | ControlFlowNode for f() |

python/ql/test/experimental/dataflow/callGraphSinks.ql

@@ -0,0 +1,5 @@
+import callGraphConfig
+
+from DataFlow::Node sink
+where exists(CallGraphConfig cfg | cfg.isSink(sink))
+select sink

python/ql/test/experimental/dataflow/callGraphSources.expected

@@ -0,0 +1 @@
+| test.py:6:10:6:14 | ControlFlowNode for BinaryExpr |

python/ql/test/experimental/dataflow/callGraphSources.ql

@@ -0,0 +1,5 @@
+import callGraphConfig
+
+from DataFlow::Node source
+where exists(CallGraphConfig cfg | cfg.isSource(source))
+select source

python/ql/test/experimental/dataflow/local.expected

@@ -1,7 +1,27 @@
+| test.py:0:0:0:0 | GSSA Variable __name__ | test.py:0:0:0:0 | Exit node for Module test |
+| test.py:0:0:0:0 | GSSA Variable __name__ | test.py:8:5:8:8 | ControlFlowNode for f() |
+| test.py:0:0:0:0 | GSSA Variable __package__ | test.py:0:0:0:0 | Exit node for Module test |
+| test.py:0:0:0:0 | GSSA Variable __package__ | test.py:8:5:8:8 | ControlFlowNode for f() |
+| test.py:0:0:0:0 | GSSA Variable c | test.py:8:5:8:8 | ControlFlowNode for f() |
+| test.py:0:0:0:0 | SSA variable $ | test.py:0:0:0:0 | Exit node for Module test |
+| test.py:1:1:1:1 | GSSA Variable a | test.py:2:5:2:5 | ControlFlowNode for a |
+| test.py:1:1:1:1 | GSSA Variable a | test.py:8:5:8:8 | ControlFlowNode for f() |
 | test.py:1:1:1:1 | GSSA Variable a | test.py:8:5:8:8 | GSSA Variable a |
+| test.py:1:1:1:1 | GSSA Variable a | test.py:8:7:8:7 | ControlFlowNode for a |
 | test.py:1:5:1:5 | ControlFlowNode for IntegerLiteral | test.py:1:1:1:1 | GSSA Variable a |
+| test.py:2:1:2:1 | GSSA Variable b | test.py:0:0:0:0 | Exit node for Module test |
+| test.py:2:1:2:1 | GSSA Variable b | test.py:8:5:8:8 | ControlFlowNode for f() |
 | test.py:2:5:2:5 | ControlFlowNode for a | test.py:2:1:2:1 | GSSA Variable b |
 | test.py:4:1:4:9 | ControlFlowNode for FunctionExpr | test.py:4:5:4:5 | GSSA Variable f |
+| test.py:4:5:4:5 | GSSA Variable f | test.py:0:0:0:0 | Exit node for Module test |
+| test.py:4:5:4:5 | GSSA Variable f | test.py:8:5:8:5 | ControlFlowNode for f |
+| test.py:4:5:4:5 | GSSA Variable f | test.py:8:5:8:8 | ControlFlowNode for f() |
 | test.py:4:7:4:7 | ControlFlowNode for x | test.py:4:7:4:7 | SSA variable x |
+| test.py:4:7:4:7 | SSA variable x | test.py:4:1:4:9 | Exit node for Function f |
+| test.py:4:7:4:7 | SSA variable x | test.py:5:7:5:7 | ControlFlowNode for x |
+| test.py:5:3:5:3 | SSA variable y | test.py:4:1:4:9 | Exit node for Function f |
+| test.py:5:3:5:3 | SSA variable y | test.py:6:10:6:10 | ControlFlowNode for y |
 | test.py:5:7:5:11 | ControlFlowNode for BinaryExpr | test.py:5:3:5:3 | SSA variable y |
+| test.py:8:1:8:1 | GSSA Variable c | test.py:0:0:0:0 | Exit node for Module test |
 | test.py:8:5:8:8 | ControlFlowNode for f() | test.py:8:1:8:1 | GSSA Variable c |
+| test.py:8:5:8:8 | GSSA Variable a | test.py:0:0:0:0 | Exit node for Module test |

python/ql/test/experimental/dataflow/sinks.expected

@@ -1,12 +1,2 @@
 | test.py:0:0:0:0 | Exit node for Module test |
-| test.py:0:0:0:0 | GSSA Variable __name__ |
-| test.py:0:0:0:0 | GSSA Variable __package__ |
-| test.py:0:0:0:0 | GSSA Variable c |
-| test.py:0:0:0:0 | SSA variable $ |
-| test.py:2:1:2:1 | GSSA Variable b |
 | test.py:4:1:4:9 | Exit node for Function f |
-| test.py:4:5:4:5 | GSSA Variable f |
-| test.py:4:7:4:7 | SSA variable x |
-| test.py:5:3:5:3 | SSA variable y |
-| test.py:8:1:8:1 | GSSA Variable c |
-| test.py:8:5:8:8 | GSSA Variable a |