Python points-to: Assorted tweaks to get nore tests passing.

2026-04-30 11:15:13 +02:00 · 2019-04-11 18:08:13 +01:00
parent 3b42f3cea3
commit ec080419ba
9 changed files with 38 additions and 26 deletions
--- a/python/ql/src/Exceptions/UnguardedNextInGenerator.ql
+++ b/python/ql/src/Exceptions/UnguardedNextInGenerator.ql
@@ -16,7 +16,7 @@ FunctionObject iter() {
    result = Object::builtin("iter")
 }

-FunctionObject next() {
+BuiltinFunctionObject next() {
    result = Object::builtin("next")
 }

--- a/python/ql/src/analysis/CallGraphEfficiency.ql
+++ b/python/ql/src/analysis/CallGraphEfficiency.ql
@@ -9,15 +9,15 @@ import semmle.python.pointsto.PointsToContext

 from int total_facts, int total_size, int depth, float efficiency
 where 
-total_facts = strictcount(ControlFlowNode call, FunctionObject func |
+total_facts = strictcount(ControlFlowNode call, CallableValue func |
    exists(PointsToContext ctx |
-        call = PointsTo::get_a_call(func, ctx) and
+        call = func.getACall(ctx) and
        depth = ctx.getDepth()
    )
 )
 and
-total_size = strictcount(ControlFlowNode call, FunctionObject func, PointsToContext ctx |
-    call = PointsTo::get_a_call(func, ctx) and
+total_size = strictcount(ControlFlowNode call, CallableValue func, PointsToContext ctx |
+    call = func.getACall(ctx) and
    depth = ctx.getDepth()
 )
 and
--- a/python/ql/src/analysis/CallGraphMarginalEfficiency.ql
+++ b/python/ql/src/analysis/CallGraphMarginalEfficiency.ql
@@ -8,20 +8,20 @@ import semmle.python.pointsto.PointsToContext

 from int total_facts, int total_size, int depth, float efficiency
 where 
-total_facts = strictcount(ControlFlowNode call, FunctionObject func |
+total_facts = strictcount(ControlFlowNode call, CallableValue func |
    exists(PointsToContext ctx |
-        call = PointsTo::get_a_call(func, ctx) and
+        call = func.getACall(ctx) and
        depth = ctx.getDepth()
        and not
        exists(PointsToContext shallower |
-            call = PointsTo::get_a_call(func, shallower) and
+        call = func.getACall(shallower) and
            shallower.getDepth() < depth
        )
    )
 )
 and
-total_size = strictcount(ControlFlowNode call, FunctionObject func, PointsToContext ctx |
-    call = PointsTo::get_a_call(func, ctx) and
+total_size = strictcount(ControlFlowNode call, CallableValue func, PointsToContext ctx |
+    call = func.getACall(ctx) and
    depth = ctx.getDepth()
 )
 and
--- a/python/ql/src/analysis/KeyPointsToFailure.ql
+++ b/python/ql/src/analysis/KeyPointsToFailure.ql
@@ -12,7 +12,7 @@ import python
 predicate points_to_failure(Expr e) {
    exists(ControlFlowNode f | 
        f = e.getAFlowNode() |
-        not f.refersTo(_)
+        not exists(f.pointsTo())
    )
 }

--- a/python/ql/src/analysis/Pruned.ql
+++ b/python/ql/src/analysis/Pruned.ql
@@ -6,7 +6,7 @@ from int size

 where
 size = count(ControlFlowNode f |
-    not PointsTo::Test::reachableBlock(f.getBasicBlock(), _)
+    not PointsToInternal::reachableBlock(f.getBasicBlock(), _)
 )


--- a/python/ql/src/semmle/python/pointsto/Filters.qll
+++ b/python/ql/src/semmle/python/pointsto/Filters.qll
@@ -31,3 +31,16 @@ predicate issubclass(CallNode fc, ControlFlowNode cls, ControlFlowNode use) {
    fc.getArg(0) = use and cls = fc.getArg(1)
 }

+/** Holds if `c` is a test comparing `x` and `y`. `is` is true if the operator is `is` or `==`, it is false if the operator is `is not` or `!=`. */
+predicate equality_test(CompareNode c, ControlFlowNode x, boolean is, ControlFlowNode y) {
+    exists(Cmpop op |
+        c.operands(x, op, y) or
+        c.operands(y, op, x)
+        |
+        (is = true and op instanceof Is or
+         is = false and op instanceof IsNot or
+         is = true and op instanceof Eq or
+         is = false and op instanceof NotEq
+        )
+    )
+}
--- a/python/ql/src/semmle/python/pointsto/PointsTo.qll
+++ b/python/ql/src/semmle/python/pointsto/PointsTo.qll
@@ -1145,20 +1145,6 @@ module Expressions {
        )
    }

-    /** Holds if `c` is a test comparing `x` and `y`. `is` is true if the operator is `is` or `==`, it is false if the operator is `is not` or `!=`. */
-    private predicate equality_test(CompareNode c, ControlFlowNode x, boolean is, ControlFlowNode y) {
-        exists(Cmpop op |
-            c.operands(x, op, y) or
-            c.operands(y, op, x)
-            |
-            (is = true and op instanceof Is or
-             is = false and op instanceof IsNot or
-             is = true and op instanceof Eq or
-             is = false and op instanceof NotEq
-            )
-        )
-    }
-
    pragma [noinline]
    private boolean inequalityEvaluatesTo(ControlFlowNode expr, PointsToContext context, ControlFlowNode use, ObjectInternal val) {
        exists(ControlFlowNode r, boolean sense |
--- a/python/ql/src/semmle/python/types/FunctionObject.qll
+++ b/python/ql/src/semmle/python/types/FunctionObject.qll
@@ -257,6 +257,10 @@ abstract class BuiltinCallable extends FunctionObject {

    abstract override string getQualifiedName();

+    override ControlFlowNode getArgumentForCall(CallNode call, int n) {
+        call = this.getACall() and result = call.getArg(n)
+    }
+
 }

 class BuiltinMethodObject extends BuiltinCallable {
--- a/python/ql/src/semmle/python/types/Object.qll
+++ b/python/ql/src/semmle/python/types/Object.qll
@@ -515,6 +515,15 @@ class SuperBoundMethod extends Object {
        result = "super()." + name
    }

+    Object getFunction(string fname) {
+        fname = name and
+        exists(SuperInstance sup, BoundMethodObjectInternal m |
+            sup = this.(AttrNode).getObject(name).pointsTo() and
+            sup.attribute(name, m, _) and
+            result = m.getFunction().getSource()
+        )
+    }
+
 }