Python points-to: Track 'unknown' value through simple iteration.

markshannon · markshannon · commit 03159bb31c2c · 2019-04-26T16:21:46.000+01:00
diff --git a/python/ql/src/semmle/python/pointsto/PointsTo.qll b/python/ql/src/semmle/python/pointsto/PointsTo.qll
@@ -409,8 +409,8 @@ cached module PointsToInternal {
         scope_entry_points_to(def, context, value, origin)
         or
         InterModulePointsTo::implicit_submodule_points_to(def, context, value, origin)
-        // or
-        // iteration_definition_points_to(def, context, value, origin)
+        or
+        iteration_definition_points_to(def, context, value, origin)
         /*
          * No points-to for non-local function entry definitions yet.
          */
@@ -564,6 +564,11 @@ cached module PointsToInternal {
         )
     }
 
+    private predicate iteration_definition_points_to(IterationDefinition def, PointsToContext context, ObjectInternal value, ControlFlowNode origin) {
+        pointsTo(def.getSequence(), context, ObjectInternal::unknown(), _) and
+        value = ObjectInternal::unknown() and origin = def.getDefiningNode()
+    }
+
     /** Holds if `f` is an expression node `tval if cond else fval` and points to `(value, origin)`. */
     private predicate if_exp_points_to(IfExprNode f, PointsToContext context, ObjectInternal value, ControlFlowNode origin) {
         pointsTo(f.getAnOperand(), context, value, origin)
diff --git a/python/ql/test/library-tests/PointsTo/new/PointsToUnknown.expected b/python/ql/test/library-tests/PointsTo/new/PointsToUnknown.expected
@@ -4,14 +4,15 @@
 | a_simple.py:24 | ControlFlowNode for x | 23 |
 | a_simple.py:29 | ControlFlowNode for x | 27 |
 | a_simple.py:35 | ControlFlowNode for Subscript | 35 |
+| a_simple.py:35 | ControlFlowNode for UnaryExpr | 35 |
 | a_simple.py:35 | ControlFlowNode for args | 34 |
 | a_simple.py:36 | ControlFlowNode for Subscript | 36 |
+| a_simple.py:36 | ControlFlowNode for UnaryExpr | 36 |
 | a_simple.py:36 | ControlFlowNode for kwargs | 34 |
 | b_condition.py:5 | ControlFlowNode for IfExp | 5 |
 | b_condition.py:5 | ControlFlowNode for cond | 5 |
 | b_condition.py:5 | ControlFlowNode for unknown | 5 |
 | b_condition.py:5 | ControlFlowNode for unknown() | 5 |
-| b_condition.py:5 | ControlFlowNode for x | 5 |
 | b_condition.py:7 | ControlFlowNode for x | 5 |
 | b_condition.py:9 | ControlFlowNode for use | 9 |
 | b_condition.py:9 | ControlFlowNode for use() | 9 |
@@ -20,7 +21,6 @@
 | b_condition.py:11 | ControlFlowNode for cond | 11 |
 | b_condition.py:11 | ControlFlowNode for unknown | 11 |
 | b_condition.py:11 | ControlFlowNode for unknown() | 11 |
-| b_condition.py:11 | ControlFlowNode for x | 11 |
 | b_condition.py:13 | ControlFlowNode for x | 11 |
 | b_condition.py:15 | ControlFlowNode for use | 15 |
 | b_condition.py:15 | ControlFlowNode for use() | 15 |
@@ -29,7 +29,7 @@
 | b_condition.py:17 | ControlFlowNode for cond | 17 |
 | b_condition.py:17 | ControlFlowNode for unknown | 17 |
 | b_condition.py:17 | ControlFlowNode for unknown() | 17 |
-| b_condition.py:17 | ControlFlowNode for x | 17 |
+| b_condition.py:19 | ControlFlowNode for UnaryExpr | 19 |
 | b_condition.py:19 | ControlFlowNode for x | 17 |
 | b_condition.py:21 | ControlFlowNode for use | 21 |
 | b_condition.py:21 | ControlFlowNode for use() | 21 |
@@ -38,7 +38,6 @@
 | b_condition.py:23 | ControlFlowNode for cond | 23 |
 | b_condition.py:23 | ControlFlowNode for unknown | 23 |
 | b_condition.py:23 | ControlFlowNode for unknown() | 23 |
-| b_condition.py:23 | ControlFlowNode for x | 23 |
 | b_condition.py:25 | ControlFlowNode for IfExp | 23 |
 | b_condition.py:25 | ControlFlowNode for x | 23 |
 | b_condition.py:26 | ControlFlowNode for use | 26 |
@@ -53,7 +52,7 @@
 | b_condition.py:31 | ControlFlowNode for cond | 31 |
 | b_condition.py:31 | ControlFlowNode for unknown | 31 |
 | b_condition.py:31 | ControlFlowNode for unknown() | 31 |
-| b_condition.py:31 | ControlFlowNode for x | 31 |
+| b_condition.py:32 | ControlFlowNode for UnaryExpr | 32 |
 | b_condition.py:32 | ControlFlowNode for x | 31 |
 | b_condition.py:34 | ControlFlowNode for use | 34 |
 | b_condition.py:34 | ControlFlowNode for use() | 34 |
@@ -64,16 +63,14 @@
 | b_condition.py:37 | ControlFlowNode for x | 31 |
 | b_condition.py:39 | ControlFlowNode for thing | 39 |
 | b_condition.py:39 | ControlFlowNode for thing() | 39 |
-| b_condition.py:39 | ControlFlowNode for v2 | 39 |
-| b_condition.py:41 | ControlFlowNode for Attribute | 39 |
 | b_condition.py:41 | ControlFlowNode for v2 | 39 |
-| b_condition.py:42 | ControlFlowNode for Attribute | 39 |
+| b_condition.py:42 | ControlFlowNode for Attribute | 42 |
 | b_condition.py:42 | ControlFlowNode for v2 | 39 |
-| b_condition.py:43 | ControlFlowNode for Attribute | 39 |
+| b_condition.py:43 | ControlFlowNode for Attribute | 43 |
 | b_condition.py:43 | ControlFlowNode for use | 43 |
 | b_condition.py:43 | ControlFlowNode for use() | 43 |
 | b_condition.py:43 | ControlFlowNode for v2 | 39 |
-| b_condition.py:44 | ControlFlowNode for Attribute | 39 |
+| b_condition.py:44 | ControlFlowNode for Attribute | 44 |
 | b_condition.py:44 | ControlFlowNode for use | 44 |
 | b_condition.py:44 | ControlFlowNode for use() | 44 |
 | b_condition.py:44 | ControlFlowNode for v2 | 39 |
@@ -84,19 +81,19 @@
 | b_condition.py:58 | ControlFlowNode for use | 58 |
 | b_condition.py:58 | ControlFlowNode for use() | 58 |
 | b_condition.py:58 | ControlFlowNode for v | 56 |
-| b_condition.py:62 | ControlFlowNode for Attribute | 61 |
+| b_condition.py:62 | ControlFlowNode for Attribute | 62 |
 | b_condition.py:62 | ControlFlowNode for x | 61 |
 | b_condition.py:64 | ControlFlowNode for y | 61 |
-| b_condition.py:65 | ControlFlowNode for Attribute | 61 |
+| b_condition.py:65 | ControlFlowNode for Attribute | 65 |
 | b_condition.py:65 | ControlFlowNode for x | 61 |
-| b_condition.py:66 | ControlFlowNode for Attribute | 61 |
+| b_condition.py:66 | ControlFlowNode for Attribute | 66 |
 | b_condition.py:66 | ControlFlowNode for seq | 66 |
 | b_condition.py:66 | ControlFlowNode for x | 61 |
 | b_condition.py:70 | ControlFlowNode for IfExp | 70 |
-| b_condition.py:70 | ControlFlowNode for b | 70 |
 | b_condition.py:70 | ControlFlowNode for cond | 70 |
 | b_condition.py:70 | ControlFlowNode for unknown | 70 |
 | b_condition.py:70 | ControlFlowNode for unknown() | 70 |
+| b_condition.py:71 | ControlFlowNode for UnaryExpr | 71 |
 | b_condition.py:71 | ControlFlowNode for b | 70 |
 | b_condition.py:73 | ControlFlowNode for b | 70 |
 | b_condition.py:79 | ControlFlowNode for use | 79 |
@@ -120,84 +117,80 @@
 | b_condition.py:99 | ControlFlowNode for use | 99 |
 | b_condition.py:99 | ControlFlowNode for use() | 99 |
 | b_condition.py:102 | ControlFlowNode for a | 101 |
+| b_condition.py:104 | ControlFlowNode for UnaryExpr | 104 |
 | b_condition.py:104 | ControlFlowNode for a | 101 |
 | b_condition.py:105 | ControlFlowNode for Subscript | 105 |
+| b_condition.py:105 | ControlFlowNode for UnaryExpr | 105 |
 | b_condition.py:105 | ControlFlowNode for a | 101 |
 | c_tests.py:5 | ControlFlowNode for IfExp | 5 |
 | c_tests.py:5 | ControlFlowNode for cond | 5 |
 | c_tests.py:5 | ControlFlowNode for unknown | 5 |
 | c_tests.py:5 | ControlFlowNode for unknown() | 5 |
-| c_tests.py:5 | ControlFlowNode for x | 5 |
 | c_tests.py:7 | ControlFlowNode for x | 5 |
 | c_tests.py:10 | ControlFlowNode for cond | 10 |
 | c_tests.py:15 | ControlFlowNode for cond | 15 |
 | c_tests.py:21 | ControlFlowNode for cond | 21 |
 | c_tests.py:21 | ControlFlowNode for unknown | 21 |
 | c_tests.py:21 | ControlFlowNode for unknown() | 21 |
-| c_tests.py:32 | ControlFlowNode for Attribute | 4 |
-| c_tests.py:32 | ControlFlowNode for Attribute | 32 |
 | c_tests.py:32 | ControlFlowNode for IfExp | 32 |
 | c_tests.py:32 | ControlFlowNode for cond | 32 |
 | c_tests.py:32 | ControlFlowNode for unknown | 32 |
 | c_tests.py:32 | ControlFlowNode for unknown() | 32 |
 | c_tests.py:32 | ControlFlowNode for y | 4 |
-| c_tests.py:34 | ControlFlowNode for Attribute | 4 |
-| c_tests.py:34 | ControlFlowNode for Attribute | 32 |
+| c_tests.py:34 | ControlFlowNode for Attribute | 34 |
 | c_tests.py:34 | ControlFlowNode for y | 4 |
-| c_tests.py:37 | ControlFlowNode for Attribute | 4 |
 | c_tests.py:37 | ControlFlowNode for cond | 37 |
 | c_tests.py:37 | ControlFlowNode for y | 4 |
-| c_tests.py:39 | ControlFlowNode for Attribute | 4 |
+| c_tests.py:39 | ControlFlowNode for Attribute | 39 |
 | c_tests.py:39 | ControlFlowNode for y | 4 |
-| c_tests.py:42 | ControlFlowNode for Attribute | 4 |
 | c_tests.py:42 | ControlFlowNode for cond | 42 |
 | c_tests.py:42 | ControlFlowNode for y | 4 |
-| c_tests.py:44 | ControlFlowNode for Attribute | 4 |
+| c_tests.py:44 | ControlFlowNode for Attribute | 44 |
 | c_tests.py:44 | ControlFlowNode for y | 4 |
-| c_tests.py:48 | ControlFlowNode for Attribute | 4 |
 | c_tests.py:48 | ControlFlowNode for cond | 48 |
 | c_tests.py:48 | ControlFlowNode for unknown | 48 |
 | c_tests.py:48 | ControlFlowNode for unknown() | 48 |
 | c_tests.py:48 | ControlFlowNode for y | 4 |
-| c_tests.py:50 | ControlFlowNode for Attribute | 4 |
+| c_tests.py:50 | ControlFlowNode for Attribute | 50 |
 | c_tests.py:50 | ControlFlowNode for y | 4 |
-| c_tests.py:53 | ControlFlowNode for Attribute | 4 |
+| c_tests.py:53 | ControlFlowNode for Attribute | 53 |
 | c_tests.py:53 | ControlFlowNode for y | 4 |
 | c_tests.py:58 | ControlFlowNode for cond | 58 |
 | c_tests.py:63 | ControlFlowNode for cond | 63 |
+| c_tests.py:65 | ControlFlowNode for hasattr() | 65 |
 | c_tests.py:73 | ControlFlowNode for x | 71 |
 | c_tests.py:73 | ControlFlowNode for y | 71 |
+| c_tests.py:74 | ControlFlowNode for BinaryExpr | 74 |
 | c_tests.py:74 | ControlFlowNode for x | 71 |
 | c_tests.py:74 | ControlFlowNode for y | 71 |
 | c_tests.py:76 | ControlFlowNode for x | 71 |
 | c_tests.py:76 | ControlFlowNode for y | 71 |
+| c_tests.py:77 | ControlFlowNode for BinaryExpr | 77 |
 | c_tests.py:77 | ControlFlowNode for x | 71 |
 | c_tests.py:77 | ControlFlowNode for y | 71 |
 | c_tests.py:80 | ControlFlowNode for IfExp | 80 |
-| c_tests.py:80 | ControlFlowNode for b | 80 |
 | c_tests.py:80 | ControlFlowNode for cond | 80 |
 | c_tests.py:80 | ControlFlowNode for unknown | 80 |
 | c_tests.py:80 | ControlFlowNode for unknown() | 80 |
 | c_tests.py:81 | ControlFlowNode for b | 80 |
 | c_tests.py:83 | ControlFlowNode for IfExp | 83 |
-| c_tests.py:83 | ControlFlowNode for b | 83 |
 | c_tests.py:83 | ControlFlowNode for cond | 83 |
 | c_tests.py:83 | ControlFlowNode for unknown | 83 |
 | c_tests.py:83 | ControlFlowNode for unknown() | 83 |
+| c_tests.py:84 | ControlFlowNode for UnaryExpr | 84 |
 | c_tests.py:84 | ControlFlowNode for b | 83 |
 | c_tests.py:87 | ControlFlowNode for unknown | 87 |
 | c_tests.py:87 | ControlFlowNode for unknown() | 87 |
 | c_tests.py:90 | ControlFlowNode for IfExp | 90 |
 | c_tests.py:90 | ControlFlowNode for cond | 90 |
 | c_tests.py:90 | ControlFlowNode for unknown | 90 |
 | c_tests.py:90 | ControlFlowNode for unknown() | 90 |
-| c_tests.py:90 | ControlFlowNode for x | 90 |
 | c_tests.py:91 | ControlFlowNode for x | 90 |
 | c_tests.py:94 | ControlFlowNode for IfExp | 94 |
 | c_tests.py:94 | ControlFlowNode for cond | 94 |
 | c_tests.py:94 | ControlFlowNode for unknown | 94 |
 | c_tests.py:94 | ControlFlowNode for unknown() | 94 |
-| c_tests.py:94 | ControlFlowNode for x | 94 |
+| c_tests.py:95 | ControlFlowNode for UnaryExpr | 95 |
 | c_tests.py:95 | ControlFlowNode for x | 94 |
 | c_tests.py:99 | ControlFlowNode for bar | 99 |
 | c_tests.py:99 | ControlFlowNode for bar() | 99 |
@@ -206,30 +199,37 @@
 | c_tests.py:99 | ControlFlowNode for x | 98 |
 | c_tests.py:100 | ControlFlowNode for use | 100 |
 | c_tests.py:100 | ControlFlowNode for use() | 100 |
-| c_tests.py:100 | ControlFlowNode for x | 98 |
 | h_classes.py:12 | ControlFlowNode for name | 12 |
 | h_classes.py:17 | ControlFlowNode for arg | 14 |
 | h_classes.py:18 | ControlFlowNode for name | 18 |
 | h_classes.py:26 | ControlFlowNode for choice | 25 |
 | h_classes.py:28 | ControlFlowNode for choice | 25 |
 | h_classes.py:42 | ControlFlowNode for unknown | 42 |
 | h_classes.py:42 | ControlFlowNode for unknown() | 42 |
+| r_regressions.py:9 | ControlFlowNode for Attribute | 9 |
+| r_regressions.py:9 | ControlFlowNode for Attribute() | 9 |
+| r_regressions.py:18 | ControlFlowNode for Attribute | 18 |
+| r_regressions.py:18 | ControlFlowNode for Attribute() | 18 |
+| r_regressions.py:20 | ControlFlowNode for Attribute | 20 |
+| r_regressions.py:21 | ControlFlowNode for close | 20 |
+| r_regressions.py:23 | ControlFlowNode for close | 20 |
+| r_regressions.py:23 | ControlFlowNode for close() | 23 |
 | r_regressions.py:29 | ControlFlowNode for x | 27 |
 | r_regressions.py:31 | ControlFlowNode for y | 27 |
 | r_regressions.py:33 | ControlFlowNode for y | 27 |
+| r_regressions.py:35 | ControlFlowNode for UnaryExpr | 35 |
 | r_regressions.py:36 | ControlFlowNode for z | 27 |
 | r_regressions.py:39 | ControlFlowNode for use | 39 |
 | r_regressions.py:39 | ControlFlowNode for use() | 39 |
 | r_regressions.py:39 | ControlFlowNode for y | 27 |
-| r_regressions.py:43 | ControlFlowNode for List | 43 |
 | r_regressions.py:43 | ControlFlowNode for x | 43 |
 | r_regressions.py:43 | ControlFlowNode for x() | 43 |
 | r_regressions.py:52 | ControlFlowNode for msg | 51 |
 | r_regressions.py:64 | ControlFlowNode for do_validation | 64 |
 | r_regressions.py:64 | ControlFlowNode for do_validation() | 64 |
+| r_regressions.py:73 | ControlFlowNode for setattr() | 73 |
 | r_regressions.py:90 | ControlFlowNode for Attribute | 90 |
 | r_regressions.py:90 | ControlFlowNode for Attribute() | 90 |
 | r_regressions.py:102 | ControlFlowNode for unrelated_call | 102 |
 | r_regressions.py:102 | ControlFlowNode for unrelated_call() | 102 |
-| r_regressions.py:107 | ControlFlowNode for Attribute | 106 |
 | r_regressions.py:107 | ControlFlowNode for x | 106 |
diff --git a/python/ql/test/library-tests/PointsTo/new/PointsToUnknown.ql b/python/ql/test/library-tests/PointsTo/new/PointsToUnknown.ql
@@ -1,9 +1,10 @@
 import python
 import Util
 import semmle.python.pointsto.PointsTo
+import semmle.python.objects.ObjectInternal
 
 from ControlFlowNode f, ControlFlowNode x
 
-where PointsTo::points_to(f, _, unknownValue(), _, x)
+where PointsTo::pointsTo(f, _, ObjectInternal::unknown(), x)
 
 select locate(f.getLocation(), "abchr"), f.toString(), x.getLocation().getStartLine()
