Python points-to: Better handling of *args, **kwargs and procedures.

markshannon · markshannon · commit dbf228d00538 · 2019-04-26T16:21:45.000+01:00
diff --git a/python/ql/src/semmle/python/objects/Callables.qll b/python/ql/src/semmle/python/objects/Callables.qll
@@ -75,12 +75,25 @@ class PythonFunctionObjectInternal extends CallableObjectInternal, TPythonFuncti
     override predicate callResult(PointsToContext callee, ObjectInternal obj, CfgOrigin origin) {
         exists(Function func, ControlFlowNode rval |
             func = this.getScope() and
-            callee.appliesToScope(func) and
+            callee.appliesToScope(func) |
             rval = func.getAReturnValueFlowNode() and
             PointsTo2::points_to(rval, callee, obj, origin)
+            or
+            exists(Return ret |
+                ret.getScope() = func and
+                PointsTo2::reachableBlock(ret.getAFlowNode().getBasicBlock(), callee) and
+                not exists(ret.getValue()) and
+                obj = ObjectInternal::none_() and
+                origin = CfgOrigin::unknown()
+            )
         )
     }
-    override predicate callResult(ObjectInternal obj, CfgOrigin origin) { none() }
+
+    override predicate callResult(ObjectInternal obj, CfgOrigin origin) { 
+        this.getScope().isProcedure() and
+        obj = ObjectInternal::none_() and
+        origin = CfgOrigin::unknown()
+    }
 
     override predicate calleeAndOffset(Function scope, int paramOffset) {
         scope = this.getScope() and paramOffset = 0
diff --git a/python/ql/src/semmle/python/objects/Constants.qll b/python/ql/src/semmle/python/objects/Constants.qll
@@ -140,7 +140,7 @@ class NoneObjectInternal extends ObjectInternal, TNone {
     }
 
     override Builtin getBuiltin() {
-        none()
+        result = Builtin::special("None")
     }
 
     override predicate callResult(PointsToContext callee, ObjectInternal obj, CfgOrigin origin) {
diff --git a/python/ql/src/semmle/python/objects/ObjectInternal.qll b/python/ql/src/semmle/python/objects/ObjectInternal.qll
@@ -292,7 +292,6 @@ module ObjectInternal {
         result = TNone()
     }
 
-
     ObjectInternal unknown() {
         result = TUnknown()
     }
diff --git a/python/ql/src/semmle/python/pointsto/PointsTo2.qll b/python/ql/src/semmle/python/pointsto/PointsTo2.qll
@@ -520,7 +520,7 @@ module InterModulePointsTo {
         exists(string name, ModuleObjectInternal mod, CfgOrigin orig |
             from_import_imports(f, context, mod, name) and
             (mod.getSourceModule() != f.getEnclosingModule() or mod.isBuiltin()) and
-            mod.attribute(name, value, origin) and
+            mod.attribute(name, value, orig) and
             origin = orig.asCfgNodeOrHere(f)
             // TO DO... $ variables.
             //mod.getSourceModule() = f.getEnclosingModule() and
@@ -697,8 +697,8 @@ module InterProceduralPointsTo {
         named_parameter_points_to(def, context, value, origin)
         or
         default_parameter_points_to(def, context, value, origin)
-        // or
-        // special_parameter_points_to(def, context, value, origin)
+        or
+        special_parameter_points_to(def, context, value, origin)
     }
 
     /** Helper for `parameter_points_to` */
@@ -745,6 +745,30 @@ module InterProceduralPointsTo {
         )
     }
 
+    /** Helper for parameter_points_to */
+    pragma [noinline]
+    private predicate special_parameter_points_to(ParameterDefinition def, PointsToContext context, ObjectInternal value, ControlFlowNode origin) {
+        context.isRuntime() and
+        origin = def.getDefiningNode() and
+        exists(ControlFlowNode param |
+            param = def.getDefiningNode() |
+            exists(Function func | func.getVararg() = param.getNode()) and value = TUnknownInstance(ObjectInternal::builtin("tuple"))
+            or
+            exists(Function func | func.getKwarg() = param.getNode()) and value = TUnknownInstance(ObjectInternal::builtin("dict"))
+        )
+        or
+        exists(PointsToContext caller, CallNode call, Function f, Parameter p |
+            context.fromCall(call, caller) and
+            context.appliesToScope(f) and
+            f.getAnArg() = p and p = def.getParameter() and
+            not p.isSelf() and
+            not exists(call.getArg(p.getPosition())) and
+            not exists(call.getArgByName(p.getName())) and
+            (exists(call.getNode().getKwargs()) or exists(call.getNode().getStarargs())) and
+            value = ObjectInternal::unknown() and origin = def.getDefiningNode()
+        )
+    }
+
     /** Holds if the `(argument, caller)` pair matches up with `(param, callee)` pair across call. */
     cached predicate callsite_argument_transfer(ControlFlowNode argument, PointsToContext caller, ParameterDefinition param, PointsToContext callee) {
         exists(CallNode call, Function func, int n, int offset |

Original file line number	Diff line number	Diff line change
`@@ -140,7 +140,7 @@ class NoneObjectInternal extends ObjectInternal, TNone {`
`140`	`140`	`}`
`141`	`141`
`142`	`142`	`override Builtin getBuiltin() {`
`143`		`- none()`
	`143`	`+ result = Builtin::special("None")`
`144`	`144`	`}`
`145`	`145`
`146`	`146`	`override predicate callResult(PointsToContext callee, ObjectInternal obj, CfgOrigin origin) {`
Original file line number	Diff line number	Diff line change
`@@ -292,7 +292,6 @@ module ObjectInternal {`
`292`	`292`	`result = TNone()`
`293`	`293`	`}`
`294`	`294`
`295`		`-`
`296`	`295`	`ObjectInternal unknown() {`
`297`	`296`	`result = TUnknown()`
`298`	`297`	`}`