Python points-to: Distinguish between class attribute access and lookup. Fixes handling of classmethods.

markshannon · markshannon · commit b8fb3e3e61f2 · 2019-04-26T16:21:46.000+01:00
diff --git a/python/ql/src/semmle/python/objects/Classes.qll b/python/ql/src/semmle/python/objects/Classes.qll
@@ -40,10 +40,24 @@ abstract class ClassObjectInternal extends ObjectInternal {
     override predicate binds(ObjectInternal instance, string name, ObjectInternal descriptor) {
         instance = this and
         PointsToInternal::attributeRequired(this, name) and
-        this.attribute(name, descriptor, _) and
+        this.lookup(name, descriptor, _) and
         descriptor.isDescriptor() = true
     }
 
+    abstract predicate lookup(string name, ObjectInternal value, CfgOrigin origin);
+
+    /** Approximation to descriptor protocol, skipping meta-descriptor protocol */
+    override predicate attribute(string name, ObjectInternal value, CfgOrigin origin) {
+        exists(ObjectInternal descriptor, CfgOrigin desc_origin |
+            this.lookup(name, descriptor, desc_origin) |
+            descriptor.isDescriptor() = false and
+            value = descriptor and origin = desc_origin
+            or
+            descriptor.isDescriptor() = true and
+            descriptor.descriptorGet(this, value, origin)
+        )
+    }
+
 }
 
 class PythonClassObjectInternal extends ClassObjectInternal, TPythonClassObject {
@@ -87,7 +101,7 @@ class PythonClassObjectInternal extends ClassObjectInternal, TPythonClassObject
         )
     }
 
-    override predicate attribute(string name, ObjectInternal value, CfgOrigin origin) {
+    override predicate lookup(string name, ObjectInternal value, CfgOrigin origin) {
         exists(ClassObjectInternal decl |
             decl = Types::getMro(this).findDeclaringClass(name) |
             Types::declaredAttribute(decl, name, value, origin)
@@ -142,7 +156,7 @@ class BuiltinClassObjectInternal extends ClassObjectInternal, TBuiltinClassObjec
         none()
     }
 
-    override predicate attribute(string name, ObjectInternal value, CfgOrigin origin) {
+    override predicate lookup(string name, ObjectInternal value, CfgOrigin origin) {
         value = ObjectInternal::fromBuiltin(this.getBuiltin().getMember(name)) and
         origin = CfgOrigin::unknown()
     }
@@ -203,7 +217,7 @@ class UnknownClassInternal extends ClassObjectInternal, TUnknownClass {
         none()
     }
 
-    override predicate attribute(string name, ObjectInternal value, CfgOrigin origin) {
+    override predicate lookup(string name, ObjectInternal value, CfgOrigin origin) {
         none()
     }
 
@@ -251,7 +265,7 @@ class TypeInternal extends ClassObjectInternal, TType {
         none()
     }
 
-    override predicate attribute(string name, ObjectInternal value, CfgOrigin origin) {
+    override predicate lookup(string name, ObjectInternal value, CfgOrigin origin) {
         none()
     }
 
diff --git a/python/ql/src/semmle/python/objects/Instances.qll b/python/ql/src/semmle/python/objects/Instances.qll
@@ -91,7 +91,7 @@ class SpecificInstanceInternal extends TSpecificInstance, ObjectInternal {
         this = instance and descriptor.isDescriptor() = true and
         exists(AttrNode attr |
             PointsToInternal::pointsTo(attr.getObject(name), _, instance, _) and
-            this.getClass().attribute(name, descriptor, _)
+            this.getClass().(ClassObjectInternal).lookup(name, descriptor, _)
         )
     }
 
@@ -302,7 +302,7 @@ private predicate receiver_type(AttrNode attr, string name, ObjectInternal value
 }
 
 private predicate cls_descriptor(ClassObjectInternal cls, string name, ObjectInternal descriptor) {
-    cls.attribute(name, descriptor, _) and
+    cls.lookup(name, descriptor, _) and
     descriptor.isDescriptor() = true
 }
 

Original file line number	Diff line number	Diff line change
`@@ -40,10 +40,24 @@ abstract class ClassObjectInternal extends ObjectInternal {`
`40`	`40`	`override predicate binds(ObjectInternal instance, string name, ObjectInternal descriptor) {`
`41`	`41`	`instance = this and`
`42`	`42`	`PointsToInternal::attributeRequired(this, name) and`
`43`		`- this.attribute(name, descriptor, _) and`
	`43`	`+ this.lookup(name, descriptor, _) and`
`44`	`44`	`descriptor.isDescriptor() = true`
`45`	`45`	`}`
`46`	`46`
	`47`	`+ abstract predicate lookup(string name, ObjectInternal value, CfgOrigin origin);`
	`48`	`+`
	`49`	`+ /** Approximation to descriptor protocol, skipping meta-descriptor protocol */`
	`50`	`+ override predicate attribute(string name, ObjectInternal value, CfgOrigin origin) {`
	`51`	`+ exists(ObjectInternal descriptor, CfgOrigin desc_origin \|`
	`52`	`+ this.lookup(name, descriptor, desc_origin) \|`
	`53`	`+ descriptor.isDescriptor() = false and`
	`54`	`+ value = descriptor and origin = desc_origin`
	`55`	`+ or`
	`56`	`+ descriptor.isDescriptor() = true and`
	`57`	`+ descriptor.descriptorGet(this, value, origin)`
	`58`	`+ )`
	`59`	`+ }`
	`60`	`+`
`47`	`61`	`}`
`48`	`62`
`49`	`63`	`class PythonClassObjectInternal extends ClassObjectInternal, TPythonClassObject {`
`@@ -87,7 +101,7 @@ class PythonClassObjectInternal extends ClassObjectInternal, TPythonClassObject`
`87`	`101`	`)`
`88`	`102`	`}`
`89`	`103`
`90`		`- override predicate attribute(string name, ObjectInternal value, CfgOrigin origin) {`
	`104`	`+ override predicate lookup(string name, ObjectInternal value, CfgOrigin origin) {`
`91`	`105`	`exists(ClassObjectInternal decl \|`
`92`	`106`	`decl = Types::getMro(this).findDeclaringClass(name) \|`
`93`	`107`	`Types::declaredAttribute(decl, name, value, origin)`
`@@ -142,7 +156,7 @@ class BuiltinClassObjectInternal extends ClassObjectInternal, TBuiltinClassObjec`
`142`	`156`	`none()`
`143`	`157`	`}`
`144`	`158`
`145`		`- override predicate attribute(string name, ObjectInternal value, CfgOrigin origin) {`
	`159`	`+ override predicate lookup(string name, ObjectInternal value, CfgOrigin origin) {`
`146`	`160`	`value = ObjectInternal::fromBuiltin(this.getBuiltin().getMember(name)) and`
`147`	`161`	`origin = CfgOrigin::unknown()`
`148`	`162`	`}`
`@@ -203,7 +217,7 @@ class UnknownClassInternal extends ClassObjectInternal, TUnknownClass {`
`203`	`217`	`none()`
`204`	`218`	`}`
`205`	`219`
`206`		`- override predicate attribute(string name, ObjectInternal value, CfgOrigin origin) {`
	`220`	`+ override predicate lookup(string name, ObjectInternal value, CfgOrigin origin) {`
`207`	`221`	`none()`
`208`	`222`	`}`
`209`	`223`
`@@ -251,7 +265,7 @@ class TypeInternal extends ClassObjectInternal, TType {`
`251`	`265`	`none()`
`252`	`266`	`}`
`253`	`267`
`254`		`- override predicate attribute(string name, ObjectInternal value, CfgOrigin origin) {`
	`268`	`+ override predicate lookup(string name, ObjectInternal value, CfgOrigin origin) {`
`255`	`269`	`none()`
`256`	`270`	`}`
`257`	`271`
Original file line number	Diff line number	Diff line change
`@@ -91,7 +91,7 @@ class SpecificInstanceInternal extends TSpecificInstance, ObjectInternal {`
`91`	`91`	`this = instance and descriptor.isDescriptor() = true and`
`92`	`92`	`exists(AttrNode attr \|`
`93`	`93`	`PointsToInternal::pointsTo(attr.getObject(name), _, instance, _) and`
`94`		`- this.getClass().attribute(name, descriptor, _)`
	`94`	`+ this.getClass().(ClassObjectInternal).lookup(name, descriptor, _)`
`95`	`95`	`)`
`96`	`96`	`}`
`97`	`97`
`@@ -302,7 +302,7 @@ private predicate receiver_type(AttrNode attr, string name, ObjectInternal value`
`302`	`302`	`}`
`303`	`303`
`304`	`304`	`private predicate cls_descriptor(ClassObjectInternal cls, string name, ObjectInternal descriptor) {`
`305`		`- cls.attribute(name, descriptor, _) and`
	`305`	`+ cls.lookup(name, descriptor, _) and`
`306`	`306`	`descriptor.isDescriptor() = true`
`307`	`307`	`}`
`308`	`308`