Merge pull request #2817 from BekaValentine/objectapi-to-valueapi-truncateddivision

tausbn · web-flow · commit e09907894d95 · 2020-02-27T12:52:26.000+01:00
Python: ObjectAPI to ValueAPI: TruncatedDivision
diff --git a/python/ql/src/Expressions/TruncatedDivision.ql b/python/ql/src/Expressions/TruncatedDivision.ql
@@ -18,19 +18,20 @@ where
     // Only relevant for Python 2, as all later versions implement true division
     major_version() = 2
     and
-    exists(BinaryExprNode bin, Object lobj, Object robj |
+    exists(BinaryExprNode bin, Value lval, Value rval |
         bin = div.getAFlowNode()
         and bin.getNode().getOp() instanceof Div
-        and bin.getLeft().refersTo(lobj, theIntType(), left)
-        and bin.getRight().refersTo(robj, theIntType(), right)
+        and bin.getLeft().pointsTo(lval, left)
+        and lval.getClass() = ClassValue::int_()
+        and bin.getRight().pointsTo(rval, right)
+        and rval.getClass() = ClassValue::int_()
         // Ignore instances where integer division leaves no remainder
-        and not lobj.(NumericObject).intValue() % robj.(NumericObject).intValue() = 0
+        and not lval.(NumericValue).getIntValue() % rval.(NumericValue).getIntValue() = 0
         and not bin.getNode().getEnclosingModule().hasFromFuture("division")
         // Filter out results wrapped in `int(...)`
-        and not exists(CallNode c, ClassObject cls |
-            c.getAnArg() = bin
-            and c.getFunction().refersTo(cls)
-            and cls.getName() = "int"
+        and not exists(CallNode c |
+            c = ClassValue::int_().getACall()
+            and c.getAnArg() = bin
         )
     )
 select div, "Result of division may be truncated as its $@ and $@ arguments may both be integers.",
diff --git a/python/ql/src/semmle/python/objects/ObjectAPI.qll b/python/ql/src/semmle/python/objects/ObjectAPI.qll
@@ -78,7 +78,7 @@ class Value extends TObject {
     predicate isBuiltin() {
         this.(ObjectInternal).isBuiltin()
     }
-
+    
     predicate hasLocationInfo(string filepath, int bl, int bc, int el, int ec) {
         this.(ObjectInternal).getOrigin().getLocation().hasLocationInfo(filepath, bl, bc, el, ec)
         or
diff --git a/python/ql/test/2/query-tests/Expressions/TruncatedDivision.expected b/python/ql/test/2/query-tests/Expressions/TruncatedDivision.expected
@@ -1,2 +1,2 @@
-| TruncatedDivision_test.py:8:12:8:16 | BinaryExpr | Result of division may be truncated as its $@ and $@ arguments may both be integers. | TruncatedDivision_test.py:8:12:8:12 | TruncatedDivision_test.py:8 | left | TruncatedDivision_test.py:8:16:8:16 | TruncatedDivision_test.py:8 | right |
-| TruncatedDivision_test.py:11:12:11:40 | BinaryExpr | Result of division may be truncated as its $@ and $@ arguments may both be integers. | TruncatedDivision_test.py:2:12:2:12 | TruncatedDivision_test.py:2 | left | TruncatedDivision_test.py:5:12:5:12 | TruncatedDivision_test.py:5 | right |
+| TruncatedDivision_test.py:65:7:65:11 | BinaryExpr | Result of division may be truncated as its $@ and $@ arguments may both be integers. | TruncatedDivision_test.py:65:7:65:7 | TruncatedDivision_test.py:65 | left | TruncatedDivision_test.py:65:11:65:11 | TruncatedDivision_test.py:65 | right |
+| TruncatedDivision_test.py:72:7:72:35 | BinaryExpr | Result of division may be truncated as its $@ and $@ arguments may both be integers. | TruncatedDivision_test.py:25:12:25:12 | TruncatedDivision_test.py:25 | left | TruncatedDivision_test.py:28:12:28:12 | TruncatedDivision_test.py:28 | right |
diff --git a/python/ql/test/2/query-tests/Expressions/TruncatedDivision_test.py b/python/ql/test/2/query-tests/Expressions/TruncatedDivision_test.py
@@ -1,24 +1,88 @@
+#### TruncatedDivision.ql
+
+# NOTE: The following test case will only work under Python 2.
+
+# Truncated division occurs when two integers are divided. This causes the
+# fractional part, if there is one, to be discared. So for example, `2 / 3` will
+# evaluate to `0` instead of `0.666...`.
+
+
+
+
+
+## Negative Cases
+
+
+
+# This case is good, and is a minimal obvious case that should be good. It
+# SHOULD NOT be found by the query.
+print(3.0 / 2.0)
+
+# This case is good, because it explicitly converts the possibly-truncated
+# value to an integer. It SHOULD NOT be found by the query.
+
 def return_three():
     return 3
 
 def return_two():
     return 2
 
-def f1():
-    return 3 / 2
+print(int(return_three() / return_two()))
+
+
 
-def f2():
-    return return_three() / return_two()
+# These cases are good, because `halve` checks the type, and if the type would
+# truncate, it explicitly converts to a float first before doing the division.
+# These SHOULD NOT be found by the query.
 
-def f3(x):
+def halve(x):
     if isinstance(x, float):
         return x / 2
     else:
         return (1.0 * x) / 2
 
-def f4():
-    do_stuff(f3(1))
-    do_stuff(f3(1.0))
+print(halve(1))
+print(halve(1.0))
+
+
+
+# This case is good, because the sum is `3.0`, which is a float, and will not
+# truncate. This case SHOULD NOT be found by the query.
+
+print(average([1.0, 2.0]))
+
+
+
+
+
+## Positive Cases
+
+
+
+# This case is bad, and is a minimal obvious case that should be bad. It
+# SHOULD be found by the query.
+
+print(3 / 2)
+
+
+
+# This case is bad. It uses indirect returns of integers through function calls
+# to produce the problem. I
+
+print(return_three() / return_two())
+
+
+
+# This case is bad, because the sum is `3`, which is an integer, and will
+# truncate when divided by the length `2`. This case SHOULD be found by the
+# query.
+
+# NOTE (2020-02-20):
+# The current version of the Value/pointsTo API doesn't permit this detection,
+# unfortunately, but we preserve this example in the hopes that future
+# versions will catch it. That will necessitate changing the expected results.
+
+def average(l):
+    return sum(l) / len(l)
 
-def f5():
-    return int(return_three() / return_two())
+print(average([1,2]))

Original file line number	Diff line number	Diff line change
`@@ -78,7 +78,7 @@ class Value extends TObject {`
`78`	`78`	`predicate isBuiltin() {`
`79`	`79`	`this.(ObjectInternal).isBuiltin()`
`80`	`80`	`}`
`81`		`-`
	`81`	`+`
`82`	`82`	`predicate hasLocationInfo(string filepath, int bl, int bc, int el, int ec) {`
`83`	`83`	`this.(ObjectInternal).getOrigin().getLocation().hasLocationInfo(filepath, bl, bc, el, ec)`
`84`	`84`	`or`