Python: stub for clearsContent

also remove all `CastNode`s (seems to help)
2026-04-28 02:05:14 +02:00 · 2020-06-26 13:09:35 +02:00
parent 248717473e
commit f84adb3c26
4 changed files with 64 additions and 2 deletions
--- a/python/ql/src/experimental/dataflow/internal/DataFlowPrivate.qll
+++ b/python/ql/src/experimental/dataflow/internal/DataFlowPrivate.qll
@@ -202,6 +202,7 @@ class DataFlowType extends TDataFlowType {

 /** A node that performs a type cast. */
 class CastNode extends Node {
+  CastNode() { none() }
 }

 /**
@@ -257,6 +258,16 @@ predicate readStep(Node node1, Content c, Node node2) {
  none()
 }

+/**
+ * Holds if values stored inside content `c` are cleared at node `n`. For example,
+ * any value stored inside `f` is cleared at the pre-update node associated with `x`
+ * in `x.f = newValue`.
+ */
+cached
+predicate clearsContent(Node n, Content c) {
+  none()
+}
+
 //--------
 // Fancy context-sensitive guards
 //--------
--- a/python/ql/src/experimental/dataflow/internal/DataFlowPublic.qll
+++ b/python/ql/src/experimental/dataflow/internal/DataFlowPublic.qll
@@ -124,7 +124,7 @@ class ParameterNode extends Node {
 * It is important that all extending classes in scope are disjoint.
 */
 class BarrierGuard extends Expr {
-  /** Holds if this guard validates `e` upon evaluating to `v`. */
+  // /** Holds if this guard validates `e` upon evaluating to `v`. */
  // abstract predicate checks(Expr e, AbstractValue v);

  /** Gets a node guarded by this guard. */
--- a/python/ql/src/experimental/dataflow/internal/readme.md
+++ b/python/ql/src/experimental/dataflow/internal/readme.md
@@ -123,4 +123,7 @@ Try recovering an existing taint tracking query by implementing sources, sinks,
 - Consider replacing def-use with def-to-first-use and use-to-next-use in local flow
 - The regression tests track the value of guards in order to eliminate impossible data flow. We currently have regressions because of this. We cannot readily replicate the existing method, as it uses the interdefinedness of data flow and taint tracking (there is a boolean taint kind). C++ does something similar for eliminating impossible control flow, which we might be able to replicate (they infer values of "interesting" control flow nodes, which are those needed to determine values of guards).
 - Flow for some syntactis constructs is done via extra taint steps in the existing implementation, we shoudl find a way to get data flow for it. Much of this should be covered by field flow.
- A document is being written about proper use of the shared data flow library, this should be adhered to.
+- A document is being written about proper use of the shared data flow library, this should be adhered to.
+- We seem to get duplicated results for global flow, as well as flow with and without type (so four times the "unique" results).
+- We currently consider control flow nodes like exit nodes for functions, we should probably filter down which ones are of interest.
+- We should probably override ToString for a number of data flow nodes
--- a/python/ql/test/experimental/dataflow/basic/globalStep.expected
+++ b/python/ql/test/experimental/dataflow/basic/globalStep.expected
@@ -20,22 +20,62 @@
 | test.py:1:19:1:19 | SSA variable x : DataFlowType | test.py:1:1:1:21 | Exit node for Function obfuscated_id |
 | test.py:1:19:1:19 | SSA variable x : DataFlowType | test.py:1:1:1:21 | Exit node for Function obfuscated_id : DataFlowType |
 | test.py:1:19:1:19 | SSA variable x : DataFlowType | test.py:1:1:1:21 | Exit node for Function obfuscated_id : DataFlowType |
+| test.py:1:19:1:19 | SSA variable x : DataFlowType | test.py:2:3:2:3 | SSA variable y |
+| test.py:1:19:1:19 | SSA variable x : DataFlowType | test.py:2:3:2:3 | SSA variable y |
+| test.py:1:19:1:19 | SSA variable x : DataFlowType | test.py:2:3:2:3 | SSA variable y : DataFlowType |
+| test.py:1:19:1:19 | SSA variable x : DataFlowType | test.py:2:3:2:3 | SSA variable y : DataFlowType |
 | test.py:1:19:1:19 | SSA variable x : DataFlowType | test.py:2:7:2:7 | ControlFlowNode for x |
 | test.py:1:19:1:19 | SSA variable x : DataFlowType | test.py:2:7:2:7 | ControlFlowNode for x |
 | test.py:1:19:1:19 | SSA variable x : DataFlowType | test.py:2:7:2:7 | ControlFlowNode for x : DataFlowType |
 | test.py:1:19:1:19 | SSA variable x : DataFlowType | test.py:2:7:2:7 | ControlFlowNode for x : DataFlowType |
+| test.py:1:19:1:19 | SSA variable x : DataFlowType | test.py:3:3:3:3 | SSA variable z |
+| test.py:1:19:1:19 | SSA variable x : DataFlowType | test.py:3:3:3:3 | SSA variable z |
+| test.py:1:19:1:19 | SSA variable x : DataFlowType | test.py:3:3:3:3 | SSA variable z : DataFlowType |
+| test.py:1:19:1:19 | SSA variable x : DataFlowType | test.py:3:3:3:3 | SSA variable z : DataFlowType |
+| test.py:1:19:1:19 | SSA variable x : DataFlowType | test.py:3:7:3:7 | ControlFlowNode for y |
+| test.py:1:19:1:19 | SSA variable x : DataFlowType | test.py:3:7:3:7 | ControlFlowNode for y |
+| test.py:1:19:1:19 | SSA variable x : DataFlowType | test.py:3:7:3:7 | ControlFlowNode for y : DataFlowType |
+| test.py:1:19:1:19 | SSA variable x : DataFlowType | test.py:3:7:3:7 | ControlFlowNode for y : DataFlowType |
+| test.py:1:19:1:19 | SSA variable x : DataFlowType | test.py:4:10:4:10 | ControlFlowNode for z |
+| test.py:1:19:1:19 | SSA variable x : DataFlowType | test.py:4:10:4:10 | ControlFlowNode for z |
+| test.py:1:19:1:19 | SSA variable x : DataFlowType | test.py:4:10:4:10 | ControlFlowNode for z : DataFlowType |
+| test.py:1:19:1:19 | SSA variable x : DataFlowType | test.py:4:10:4:10 | ControlFlowNode for z : DataFlowType |
 | test.py:2:3:2:3 | SSA variable y : DataFlowType | test.py:1:1:1:21 | Exit node for Function obfuscated_id |
 | test.py:2:3:2:3 | SSA variable y : DataFlowType | test.py:1:1:1:21 | Exit node for Function obfuscated_id |
 | test.py:2:3:2:3 | SSA variable y : DataFlowType | test.py:1:1:1:21 | Exit node for Function obfuscated_id : DataFlowType |
 | test.py:2:3:2:3 | SSA variable y : DataFlowType | test.py:1:1:1:21 | Exit node for Function obfuscated_id : DataFlowType |
+| test.py:2:3:2:3 | SSA variable y : DataFlowType | test.py:3:3:3:3 | SSA variable z |
+| test.py:2:3:2:3 | SSA variable y : DataFlowType | test.py:3:3:3:3 | SSA variable z |
+| test.py:2:3:2:3 | SSA variable y : DataFlowType | test.py:3:3:3:3 | SSA variable z : DataFlowType |
+| test.py:2:3:2:3 | SSA variable y : DataFlowType | test.py:3:3:3:3 | SSA variable z : DataFlowType |
 | test.py:2:3:2:3 | SSA variable y : DataFlowType | test.py:3:7:3:7 | ControlFlowNode for y |
 | test.py:2:3:2:3 | SSA variable y : DataFlowType | test.py:3:7:3:7 | ControlFlowNode for y |
 | test.py:2:3:2:3 | SSA variable y : DataFlowType | test.py:3:7:3:7 | ControlFlowNode for y : DataFlowType |
 | test.py:2:3:2:3 | SSA variable y : DataFlowType | test.py:3:7:3:7 | ControlFlowNode for y : DataFlowType |
+| test.py:2:3:2:3 | SSA variable y : DataFlowType | test.py:4:10:4:10 | ControlFlowNode for z |
+| test.py:2:3:2:3 | SSA variable y : DataFlowType | test.py:4:10:4:10 | ControlFlowNode for z |
+| test.py:2:3:2:3 | SSA variable y : DataFlowType | test.py:4:10:4:10 | ControlFlowNode for z : DataFlowType |
+| test.py:2:3:2:3 | SSA variable y : DataFlowType | test.py:4:10:4:10 | ControlFlowNode for z : DataFlowType |
+| test.py:2:7:2:7 | ControlFlowNode for x : DataFlowType | test.py:1:1:1:21 | Exit node for Function obfuscated_id |
+| test.py:2:7:2:7 | ControlFlowNode for x : DataFlowType | test.py:1:1:1:21 | Exit node for Function obfuscated_id |
+| test.py:2:7:2:7 | ControlFlowNode for x : DataFlowType | test.py:1:1:1:21 | Exit node for Function obfuscated_id : DataFlowType |
+| test.py:2:7:2:7 | ControlFlowNode for x : DataFlowType | test.py:1:1:1:21 | Exit node for Function obfuscated_id : DataFlowType |
 | test.py:2:7:2:7 | ControlFlowNode for x : DataFlowType | test.py:2:3:2:3 | SSA variable y |
 | test.py:2:7:2:7 | ControlFlowNode for x : DataFlowType | test.py:2:3:2:3 | SSA variable y |
 | test.py:2:7:2:7 | ControlFlowNode for x : DataFlowType | test.py:2:3:2:3 | SSA variable y : DataFlowType |
 | test.py:2:7:2:7 | ControlFlowNode for x : DataFlowType | test.py:2:3:2:3 | SSA variable y : DataFlowType |
+| test.py:2:7:2:7 | ControlFlowNode for x : DataFlowType | test.py:3:3:3:3 | SSA variable z |
+| test.py:2:7:2:7 | ControlFlowNode for x : DataFlowType | test.py:3:3:3:3 | SSA variable z |
+| test.py:2:7:2:7 | ControlFlowNode for x : DataFlowType | test.py:3:3:3:3 | SSA variable z : DataFlowType |
+| test.py:2:7:2:7 | ControlFlowNode for x : DataFlowType | test.py:3:3:3:3 | SSA variable z : DataFlowType |
+| test.py:2:7:2:7 | ControlFlowNode for x : DataFlowType | test.py:3:7:3:7 | ControlFlowNode for y |
+| test.py:2:7:2:7 | ControlFlowNode for x : DataFlowType | test.py:3:7:3:7 | ControlFlowNode for y |
+| test.py:2:7:2:7 | ControlFlowNode for x : DataFlowType | test.py:3:7:3:7 | ControlFlowNode for y : DataFlowType |
+| test.py:2:7:2:7 | ControlFlowNode for x : DataFlowType | test.py:3:7:3:7 | ControlFlowNode for y : DataFlowType |
+| test.py:2:7:2:7 | ControlFlowNode for x : DataFlowType | test.py:4:10:4:10 | ControlFlowNode for z |
+| test.py:2:7:2:7 | ControlFlowNode for x : DataFlowType | test.py:4:10:4:10 | ControlFlowNode for z |
+| test.py:2:7:2:7 | ControlFlowNode for x : DataFlowType | test.py:4:10:4:10 | ControlFlowNode for z : DataFlowType |
+| test.py:2:7:2:7 | ControlFlowNode for x : DataFlowType | test.py:4:10:4:10 | ControlFlowNode for z : DataFlowType |
 | test.py:3:3:3:3 | SSA variable z : DataFlowType | test.py:1:1:1:21 | Exit node for Function obfuscated_id |
 | test.py:3:3:3:3 | SSA variable z : DataFlowType | test.py:1:1:1:21 | Exit node for Function obfuscated_id |
 | test.py:3:3:3:3 | SSA variable z : DataFlowType | test.py:1:1:1:21 | Exit node for Function obfuscated_id : DataFlowType |
@@ -44,10 +84,18 @@
 | test.py:3:3:3:3 | SSA variable z : DataFlowType | test.py:4:10:4:10 | ControlFlowNode for z |
 | test.py:3:3:3:3 | SSA variable z : DataFlowType | test.py:4:10:4:10 | ControlFlowNode for z : DataFlowType |
 | test.py:3:3:3:3 | SSA variable z : DataFlowType | test.py:4:10:4:10 | ControlFlowNode for z : DataFlowType |
+| test.py:3:7:3:7 | ControlFlowNode for y : DataFlowType | test.py:1:1:1:21 | Exit node for Function obfuscated_id |
+| test.py:3:7:3:7 | ControlFlowNode for y : DataFlowType | test.py:1:1:1:21 | Exit node for Function obfuscated_id |
+| test.py:3:7:3:7 | ControlFlowNode for y : DataFlowType | test.py:1:1:1:21 | Exit node for Function obfuscated_id : DataFlowType |
+| test.py:3:7:3:7 | ControlFlowNode for y : DataFlowType | test.py:1:1:1:21 | Exit node for Function obfuscated_id : DataFlowType |
 | test.py:3:7:3:7 | ControlFlowNode for y : DataFlowType | test.py:3:3:3:3 | SSA variable z |
 | test.py:3:7:3:7 | ControlFlowNode for y : DataFlowType | test.py:3:3:3:3 | SSA variable z |
 | test.py:3:7:3:7 | ControlFlowNode for y : DataFlowType | test.py:3:3:3:3 | SSA variable z : DataFlowType |
 | test.py:3:7:3:7 | ControlFlowNode for y : DataFlowType | test.py:3:3:3:3 | SSA variable z : DataFlowType |
+| test.py:3:7:3:7 | ControlFlowNode for y : DataFlowType | test.py:4:10:4:10 | ControlFlowNode for z |
+| test.py:3:7:3:7 | ControlFlowNode for y : DataFlowType | test.py:4:10:4:10 | ControlFlowNode for z |
+| test.py:3:7:3:7 | ControlFlowNode for y : DataFlowType | test.py:4:10:4:10 | ControlFlowNode for z : DataFlowType |
+| test.py:3:7:3:7 | ControlFlowNode for y : DataFlowType | test.py:4:10:4:10 | ControlFlowNode for z : DataFlowType |
 | test.py:4:10:4:10 | ControlFlowNode for z : DataFlowType | test.py:7:5:7:20 | ControlFlowNode for obfuscated_id() |
 | test.py:4:10:4:10 | ControlFlowNode for z : DataFlowType | test.py:7:5:7:20 | ControlFlowNode for obfuscated_id() : DataFlowType |
 | test.py:6:1:6:1 | GSSA Variable a : DataFlowType | test.py:7:5:7:20 | ControlFlowNode for obfuscated_id() |