Merge pull request #858 from markshannon/python-a-few-more-unknowns

Python: Slight improvement to reachability in points-to

Author: taus-semmle

python/ql/src/semmle/python/pointsto/PointsTo.qll

@@ -610,7 +610,6 @@ module PointsTo {
                 points_to(obj_node, context, x, icls, _) and
                 (not x instanceof ModuleObject and not x instanceof ClassObject) and
                 not icls.isBuiltin() and
-                Types::class_has_attribute_bool(icls, name) = false and
                 value = unknownValue() and cls = theUnknownType() and origin = f
             )
         )
@@ -2117,10 +2116,15 @@ module PointsTo {
         private boolean truth_test_evaluates_boolean(ControlFlowNode expr, ControlFlowNode use, PointsToContext context, Object val, ClassObject cls, ControlFlowNode origin) {
             contains_interesting_expression_within_test(expr, use) and
             points_to(use, context, val, cls, origin) and
+            expr = use and
             (
-                expr = use and val.booleanValue() = result
+                val.booleanValue() = result
                 or
-                expr = use and Types::instances_always_true(cls) and result = true
+                Types::instances_always_true(cls) and result = true
+                or
+                val.maybe() and result = true
+                or
+                val.maybe() and result = false
             )
         }
 

python/ql/test/library-tests/PointsTo/guarded/PointsTo.expected

@@ -61,6 +61,7 @@
 | test.py | 408 | ControlFlowNode for x | int 1 | 404 |
 | test.py | 420 | ControlFlowNode for Attribute | NoneType None | 418 |
 | test.py | 427 | ControlFlowNode for Attribute | NoneType None | 418 |
+| test.py | 435 | ControlFlowNode for y | int 1 | 433 |
 | type_test.py | 5 | ControlFlowNode for d | Dict | 2 |
 | type_test.py | 14 | ControlFlowNode for x | int 0 | 11 |
 | type_test.py | 16 | ControlFlowNode for x | float 1.0 | 11 |

python/ql/test/library-tests/PointsTo/guarded/PointsToWithType.expected

@@ -61,6 +61,7 @@
 | test.py | 408 | ControlFlowNode for x | int 1 | builtin-class int | 404 |
 | test.py | 420 | ControlFlowNode for Attribute | NoneType None | builtin-class NoneType | 418 |
 | test.py | 427 | ControlFlowNode for Attribute | NoneType None | builtin-class NoneType | 418 |
+| test.py | 435 | ControlFlowNode for y | int 1 | builtin-class int | 433 |
 | type_test.py | 5 | ControlFlowNode for d | Dict | builtin-class dict | 2 |
 | type_test.py | 14 | ControlFlowNode for x | int 0 | builtin-class int | 11 |
 | type_test.py | 16 | ControlFlowNode for x | float 1.0 | builtin-class float | 11 |

python/ql/test/library-tests/PointsTo/guarded/test.py

@@ -426,3 +426,10 @@ def meth(self):
         else:
             use(self.x)
             return lambda : use(self.x)
+
+
+def test_on_unknown_attr():
+    e = E()
+    y = 1
+    if e.attr:
+        use(y)

python/ql/test/library-tests/PointsTo/new/PointsToUnknown.expected

@@ -106,6 +106,7 @@
 | b_condition.py:88 | ControlFlowNode for y | 87 |
 | b_condition.py:90 | ControlFlowNode for x | 87 |
 | b_condition.py:90 | ControlFlowNode for y | 87 |
+| b_condition.py:92 | ControlFlowNode for x | 87 |
 | b_condition.py:93 | ControlFlowNode for use | 93 |
 | b_condition.py:93 | ControlFlowNode for use() | 93 |
 | b_condition.py:93 | ControlFlowNode for y | 87 |
@@ -115,6 +116,7 @@
 | b_condition.py:96 | ControlFlowNode for y | 87 |
 | b_condition.py:97 | ControlFlowNode for use | 97 |
 | b_condition.py:97 | ControlFlowNode for use() | 97 |
+| b_condition.py:97 | ControlFlowNode for x | 87 |
 | b_condition.py:99 | ControlFlowNode for use | 99 |
 | b_condition.py:99 | ControlFlowNode for use() | 99 |
 | b_condition.py:102 | ControlFlowNode for a | 101 |
@@ -225,3 +227,5 @@
 | r_regressions.py:52 | ControlFlowNode for msg | 51 |
 | r_regressions.py:64 | ControlFlowNode for do_validation | 64 |
 | r_regressions.py:64 | ControlFlowNode for do_validation() | 64 |
+| r_regressions.py:90 | ControlFlowNode for Attribute | 90 |
+| r_regressions.py:90 | ControlFlowNode for Attribute() | 90 |

python/ql/test/query-tests/analysis/pointsto/CallGraphEfficiency.expected

@@ -1,2 +1,2 @@
-| 0 | 29 | 29 | 100.0 |
+| 0 | 31 | 31 | 100.0 |
 | 1 | 4 | 40 | 10.0 |

python/ql/test/query-tests/analysis/pointsto/CallGraphMarginalEfficiency.expected

@@ -1,2 +1,2 @@
-| 0 | 29 | 29 | 100.0 |
+| 0 | 31 | 31 | 100.0 |
 | 1 | 3 | 40 | 7.5 |