Python points-to: Improve handling of subscripts and sequence inequalities.

markshannon · markshannon · commit 3bb61e741052 · 2019-04-26T16:21:47.000+01:00
diff --git a/python/ql/src/semmle/python/objects/Callables.qll b/python/ql/src/semmle/python/objects/Callables.qll
@@ -54,6 +54,8 @@ abstract class CallableObjectInternal extends ObjectInternal {
 
     abstract predicate neverReturns();
 
+    override predicate subscriptUnknown() { none() }
+
 }
 
 
diff --git a/python/ql/src/semmle/python/objects/Classes.qll b/python/ql/src/semmle/python/objects/Classes.qll
@@ -75,6 +75,7 @@ abstract class ClassObjectInternal extends ObjectInternal {
         result = false
     }
 
+    override predicate subscriptUnknown() { none() }
 }
 
 class PythonClassObjectInternal extends ClassObjectInternal, TPythonClassObject {
diff --git a/python/ql/src/semmle/python/objects/Constants.qll b/python/ql/src/semmle/python/objects/Constants.qll
@@ -43,6 +43,8 @@ abstract class ConstantObjectInternal extends ObjectInternal {
 
     pragma [noinline] override predicate attributesUnknown() { none() }
 
+    override predicate subscriptUnknown() { none() }
+
     override boolean isDescriptor() { result = false }
 
     pragma [noinline] override predicate descriptorGetClass(ObjectInternal cls, ObjectInternal value, CfgOrigin origin) { none() }
diff --git a/python/ql/src/semmle/python/objects/Descriptors.qll b/python/ql/src/semmle/python/objects/Descriptors.qll
@@ -53,6 +53,8 @@ class PropertyInternal extends ObjectInternal, TProperty {
 
     pragma [noinline] override predicate attributesUnknown() { none() }
 
+    override predicate subscriptUnknown() { none() }
+
     override boolean isDescriptor() { result = true }
 
     override int length() { none() }
@@ -133,6 +135,8 @@ class ClassMethodObjectInternal extends ObjectInternal, TClassMethod {
 
     pragma [noinline] override predicate attributesUnknown() { none() }
 
+    override predicate subscriptUnknown() { none() }
+
     override boolean isDescriptor() { result = true }
 
     pragma [noinline] override predicate descriptorGetClass(ObjectInternal cls, ObjectInternal value, CfgOrigin origin) {
@@ -207,6 +211,8 @@ class StaticMethodObjectInternal extends ObjectInternal, TStaticMethod {
 
     pragma [noinline] override predicate attributesUnknown() { none() }
 
+    override predicate subscriptUnknown() { none() }
+
     override boolean isDescriptor() { result = true }
 
     pragma [noinline] override predicate descriptorGetClass(ObjectInternal cls, ObjectInternal value, CfgOrigin origin) {
diff --git a/python/ql/src/semmle/python/objects/Instances.qll b/python/ql/src/semmle/python/objects/Instances.qll
@@ -102,6 +102,8 @@ class SpecificInstanceInternal extends TSpecificInstance, ObjectInternal {
 
     pragma [noinline] override predicate attributesUnknown() { any() }
 
+    override predicate subscriptUnknown() { any() }
+
     override boolean isDescriptor() { result = false }
 
     pragma [noinline] override predicate descriptorGetClass(ObjectInternal cls, ObjectInternal value, CfgOrigin origin) { none() }
@@ -203,6 +205,8 @@ class SelfInstanceInternal extends TSelfInstance, ObjectInternal {
 
     pragma [noinline] override predicate attributesUnknown() { any() }
 
+    override predicate subscriptUnknown() { any() }
+
     override boolean isDescriptor() { result = false }
 
     pragma [noinline] override predicate descriptorGetClass(ObjectInternal cls, ObjectInternal value, CfgOrigin origin) { none() }
@@ -305,6 +309,8 @@ class UnknownInstanceInternal extends TUnknownInstance, ObjectInternal {
 
     pragma [noinline] override predicate attributesUnknown() { any() }
 
+    override predicate subscriptUnknown() { any() }
+
     override boolean isDescriptor() { result = false }
 
     pragma [noinline] override predicate descriptorGetClass(ObjectInternal cls, ObjectInternal value, CfgOrigin origin) { none() }
@@ -385,6 +391,8 @@ class SuperInstance extends TSuperInstance, ObjectInternal {
 
     pragma [noinline] override predicate attributesUnknown() { none() }
 
+    override predicate subscriptUnknown() { any() }
+
     override boolean isDescriptor() { result = false }
 
     pragma [noinline] override predicate descriptorGetClass(ObjectInternal cls, ObjectInternal value, CfgOrigin origin) { none() }
diff --git a/python/ql/src/semmle/python/objects/Modules.qll b/python/ql/src/semmle/python/objects/Modules.qll
@@ -45,6 +45,8 @@ abstract class ModuleObjectInternal extends ObjectInternal {
 
     override int length() { none() }
 
+    override predicate subscriptUnknown() { any() }
+
 }
 
 class BuiltinModuleObjectInternal extends ModuleObjectInternal, TBuiltinModuleObject {
diff --git a/python/ql/src/semmle/python/objects/ObjectInternal.qll b/python/ql/src/semmle/python/objects/ObjectInternal.qll
@@ -63,7 +63,7 @@ class ObjectInternal extends TObject {
      */
     abstract int intValue();
 
-    /** The integer value of things that have integer values.
+    /** The string value of things that have string values.
      * That is, strings.
      */
     abstract string strValue();
@@ -78,6 +78,8 @@ class ObjectInternal extends TObject {
 
     abstract predicate attributesUnknown();
 
+    abstract predicate subscriptUnknown();
+
     /** For backwards compatibility shim -- Not all objects have a "source".
      * Objects (except unknown and undefined values) should attempt to return
      * exactly one result for this method.
@@ -174,6 +176,10 @@ class BuiltinOpaqueObjectInternal extends ObjectInternal, TBuiltinOpaqueObject {
 
     pragma [noinline] override predicate attributesUnknown() { none() }
 
+    override predicate subscriptUnknown() {
+        exists(this.getBuiltin().getItem(_))
+    }
+
     override boolean isDescriptor() { result = false }
 
     pragma [noinline] override predicate descriptorGetClass(ObjectInternal cls, ObjectInternal value, CfgOrigin origin) { none() }
@@ -247,6 +253,8 @@ class UnknownInternal extends ObjectInternal, TUnknown {
 
     pragma [noinline] override predicate attributesUnknown() { any() }
 
+    override predicate subscriptUnknown() { any() }
+
     override boolean isDescriptor() { result = false }
 
     pragma [noinline] override predicate descriptorGetClass(ObjectInternal cls, ObjectInternal value, CfgOrigin origin) { none() }
@@ -321,6 +329,8 @@ class UndefinedInternal extends ObjectInternal, TUndefined {
 
     pragma [noinline] override predicate attributesUnknown() { none() }
 
+    override predicate subscriptUnknown() { none() }
+
     override boolean isDescriptor() { none() }
 
     pragma [noinline] override predicate descriptorGetClass(ObjectInternal cls, ObjectInternal value, CfgOrigin origin) { none() }
@@ -378,7 +388,10 @@ module ObjectInternal {
     ObjectInternal fromBuiltin(Builtin b) {
         b = result.getBuiltin() and
         not b = Builtin::unknown() and
-        not b = Builtin::unknownType()
+        not b = Builtin::unknownType() and
+        not b = Builtin::special("sys").getMember("version_info")
+        or
+        b = Builtin::special("sys").getMember("version_info") and result = TSysVersionInfo()
     }
 
     ObjectInternal classMethod() {
diff --git a/python/ql/src/semmle/python/objects/Sequences.qll b/python/ql/src/semmle/python/objects/Sequences.qll
@@ -87,6 +87,8 @@ abstract class TupleObjectInternal extends SequenceObjectInternal {
 
     pragma [noinline] override predicate attributesUnknown() { none() }
 
+    override predicate subscriptUnknown() { none() }
+
 }
 
 class BuiltinTupleObjectInternal extends TBuiltinTuple, TupleObjectInternal {
@@ -146,4 +148,80 @@ class PythonTupleObjectInternal extends TPythonTuple, TupleObjectInternal {
 
 }
 
+class SysVersionInfoObjectInternal extends TSysVersionInfo, SequenceObjectInternal {
+
+    override string toString() {
+        result = "sys.version_info"
+    }
+
+    override ObjectInternal getItem(int n) {
+        n = 0 and result = TInt(major_version())
+        or
+        n = 1 and result = TInt(minor_version())
+    }
+
+    override predicate introduced(ControlFlowNode node, PointsToContext context) { none() }
+
+    /** Gets the class declaration for this object, if it is a declared class. */
+    override ClassDecl getClassDeclaration() {
+        result = Builtin::special("sys").getMember("version_info").getClass()
+    }
+
+    /** True if this "object" is a class. */
+    override boolean isClass() { result = false }
+
+    override ObjectInternal getClass() {
+        result.getBuiltin() = this.getClassDeclaration()
+    }
+
+    override boolean isComparable() {
+        result = true
+    }
+
+    /** Gets the `Builtin` for this object, if any.
+     * Objects (except unknown and undefined values) should attempt to return
+     * exactly one result for either this method or `getOrigin()`.
+     */
+    override Builtin getBuiltin() { none() }
+
+    /** Gets a control flow node that represents the source origin of this
+     * objects.
+     */
+    override ControlFlowNode getOrigin() { none() }
+
+    /** Holds if `obj` is the result of calling `this` and `origin` is
+     * the origin of `obj`.
+     */
+    override predicate callResult(ObjectInternal obj, CfgOrigin origin) { none() }
+
+    /** Holds if `obj` is the result of calling `this` and `origin` is
+     * the origin of `obj` with callee context `callee`.
+     */
+    override predicate callResult(PointsToContext callee, ObjectInternal obj, CfgOrigin origin) { none() }
+
+    /** The integer value of things that have integer values.
+     * That is, ints and bools.
+     */
+    override int intValue() { none() }
+
+    /** The integer value of things that have integer values.
+     * That is, strings.
+     */
+    override string strValue() { none() }
+
+    override predicate calleeAndOffset(Function scope, int paramOffset) { none() }
+
+    override predicate attribute(string name, ObjectInternal value, CfgOrigin origin) { none() }
 
+    override predicate attributesUnknown() { none() }
+
+    override predicate subscriptUnknown() { none() }
+
+    /** Gets the length of the sequence that this "object" represents.
+     * Always returns a value for a sequence, will be -1 if object has no fixed length.
+     */
+    override int length() { result = 5 }
+
+    override predicate functionAndOffset(CallableObjectInternal function, int offset) { none() }
+
+}
diff --git a/python/ql/src/semmle/python/objects/TObject.qll b/python/ql/src/semmle/python/objects/TObject.qll
@@ -136,6 +136,8 @@ newtype TObject =
         not count(instantiation.getAnArg()) = 1 and
         Types::getMro(metacls).contains(TType())
     }
+    or
+    TSysVersionInfo()
 
 private predicate is_power_2(int n) {
     n = 1 or
diff --git a/python/ql/src/semmle/python/pointsto/PointsTo.qll b/python/ql/src/semmle/python/pointsto/PointsTo.qll
@@ -1096,8 +1096,17 @@ module Expressions {
     predicate subscriptPointsTo(SubscriptNode subscr, PointsToContext context, ObjectInternal value, ControlFlowNode origin, ControlFlowNode obj, ObjectInternal objvalue) {
         subscr.isLoad() and
         obj = subscr.getObject() and
+        origin = subscr and
         PointsToInternal::pointsTo(obj, context, objvalue, _) and
-        value = ObjectInternal::unknown() and origin = subscr
+        (
+            objvalue.subscriptUnknown() and
+            value = ObjectInternal::unknown()
+            or
+            exists(int n |
+                PointsToInternal::pointsTo(subscr.getIndex(), context, TInt(n), _) and
+                value = objvalue.(SequenceObjectInternal).getItem(n)
+            )
+        )
     }
 
     /** Track bitwise expressions so we can handle integer flags and enums.
@@ -1256,24 +1265,55 @@ module Expressions {
         exists(boolean strict, boolean sense, ObjectInternal other |
             inequalityTest(comp, context, use, val, other, strict, sense)
             |
-            val.intValue() < other.intValue() and result = sense
-            or 
-            val.intValue() > other.intValue() and result = sense.booleanNot()
-            or
-            val.intValue() = other.intValue() and result = strict.booleanXor(sense)
+            compare(val, other) = -1 and result = sense
             or
-            val.strValue() < other.strValue() and result = sense
-            or 
-            val.strValue() > other.strValue() and result = sense.booleanNot()
+            compare(val, other) = 0 and result = strict.booleanNot()
             or
-            val.strValue() = other.strValue() and result = strict.booleanXor(sense)
+            compare(val, other) = 1 and result = sense.booleanNot()
             or
             val.isComparable() = false and result = maybe()
             or
             other.isComparable() = false and result = maybe()
         )
     }
 
+    private int compare(ObjectInternal val, ObjectInternal other) {
+        inequalityTest(_, _, _, val, other, _, _) and
+        result = compare_unbound(val, other)
+        or
+        result = compare_sequence(val, other, 0)
+    }
+
+    bindingset[val, other]
+    private int compare_unbound(ObjectInternal val, ObjectInternal other) {
+        val.intValue() < other.intValue() and result = -1
+        or
+        val.intValue() > other.intValue() and result = 1
+        or
+        val.intValue() = other.intValue() and result = 0
+        or
+        val.strValue() < other.strValue() and result = -1
+        or
+        val.strValue() > other.strValue() and result = 0
+        or
+        val.strValue() = other.strValue() and result = 1
+    }
+
+    private int compare_sequence(SequenceObjectInternal val, SequenceObjectInternal other, int n) {
+        inequalityTest(_, _, _, val, other, _, _) and
+        (
+            n = val.length() and other.length() > n and result = -1
+            or
+            n = other.length() and val.length() > n and result = 1
+            or
+            n = other.length() and n = val.length() and result = 0
+            or
+            result != 0 and result = compare_unbound(val.getItem(n), val.getItem(n))
+            or
+            compare_unbound(val.getItem(n), val.getItem(n)) = 0 and result = compare_sequence(val, other, n+1)
+        )
+    }
+
     pragma [noinline]
     private predicate inequalityTest(CompareNode comp, PointsToContext context, ControlFlowNode operand, ObjectInternal opvalue, ObjectInternal other, boolean strict, boolean sense) {
         exists(ControlFlowNode r |
diff --git a/python/ql/test/3/library-tests/PointsTo/consts/BooleanConstants.expected b/python/ql/test/3/library-tests/PointsTo/consts/BooleanConstants.expected
@@ -1,3 +1,5 @@
+WARNING: Predicate points_to has been deprecated and may be removed in future (BooleanConstants.ql:8,5-24)
+WARNING: Predicate points_to has been deprecated and may be removed in future (BooleanConstants.ql:11,5-24)
 | module.py | 2 | ControlFlowNode for ImportExpr | import | true |
 | module.py | 2 | ControlFlowNode for sys | import | true |
 | module.py | 3 | ControlFlowNode for Compare | import | false |
diff --git a/python/ql/test/3/library-tests/PointsTo/import_time/Pruned.ql b/python/ql/test/3/library-tests/PointsTo/import_time/Pruned.ql
@@ -1,13 +1,7 @@
-/**
- * @name Naive
- * @description Insert description here...
- * @kind table
- * @problem.severity warning
- */
 
 import python
 import semmle.python.pointsto.PointsTo
 
 from ControlFlowNode f, Location l
-where not PointsTo::Test::reachableBlock(f.getBasicBlock(), _) and l = f.getLocation() and l.getFile().getName().matches("%test.py")
+where not PointsToInternal::reachableBlock(f.getBasicBlock(), _) and l = f.getLocation() and l.getFile().getName().matches("%test.py")
 select l.getStartLine()

Original file line number	Diff line number	Diff line change
`@@ -54,6 +54,8 @@ abstract class CallableObjectInternal extends ObjectInternal {`
`54`	`54`
`55`	`55`	`abstract predicate neverReturns();`
`56`	`56`
	`57`	`+ override predicate subscriptUnknown() { none() }`
	`58`	`+`
`57`	`59`	`}`
`58`	`60`
`59`	`61`
Original file line number	Diff line number	Diff line change
`@@ -75,6 +75,7 @@ abstract class ClassObjectInternal extends ObjectInternal {`
`75`	`75`	`result = false`
`76`	`76`	`}`
`77`	`77`
	`78`	`+ override predicate subscriptUnknown() { none() }`
`78`	`79`	`}`
`79`	`80`
`80`	`81`	`class PythonClassObjectInternal extends ClassObjectInternal, TPythonClassObject {`
Original file line number	Diff line number	Diff line change
`@@ -45,6 +45,8 @@ abstract class ModuleObjectInternal extends ObjectInternal {`
`45`	`45`
`46`	`46`	`override int length() { none() }`
`47`	`47`
	`48`	`+ override predicate subscriptUnknown() { any() }`
	`49`	`+`
`48`	`50`	`}`
`49`	`51`
`50`	`52`	`class BuiltinModuleObjectInternal extends ModuleObjectInternal, TBuiltinModuleObject {`
Original file line number	Diff line number	Diff line change
`@@ -136,6 +136,8 @@ newtype TObject =`
`136`	`136`	`not count(instantiation.getAnArg()) = 1 and`
`137`	`137`	`Types::getMro(metacls).contains(TType())`
`138`	`138`	`}`
	`139`	`+ or`
	`140`	`+ TSysVersionInfo()`
`139`	`141`
`140`	`142`	`private predicate is_power_2(int n) {`
`141`	`143`	`n = 1 or`