Merge pull request #4364 from yoff/SharedDataflow_ArgumentPassing

Python: Shared dataflow, argument passing

Author: RasmusWL

python/ql/src/experimental/dataflow/internal/DataFlowPrivate.qll

@@ -26,10 +26,40 @@ newtype TNode =
   TCfgNode(ControlFlowNode node) { isExpressionNode(node) } or
   /** A synthetic node representing the value of an object before a state change */
   TSyntheticPreUpdateNode(NeedsSyntheticPreUpdateNode post) or
-  /** A synthetic node representing the value of an object after a state change */
+  /** A synthetic node representing the value of an object after a state change. */
   TSyntheticPostUpdateNode(NeedsSyntheticPostUpdateNode pre) or
-  /** A node representing a global (module-level) variable in a specific module */
-  TModuleVariableNode(Module m, GlobalVariable v) { v.getScope() = m and v.escapes() }
+  /** A node representing a global (module-level) variable in a specific module. */
+  TModuleVariableNode(Module m, GlobalVariable v) { v.getScope() = m and v.escapes() } or
+  /**
+   * A node representing the overflow positional arguments to a call.
+   * That is, `call` contains more positional arguments than there are
+   * positional parameters in `callable`. The extra ones are passed as
+   * a tuple to a starred parameter; this synthetic node represents that tuple.
+   */
+  TPosOverflowNode(CallNode call, CallableValue callable) {
+    exists(getPositionalOverflowArg(call, callable, _))
+  } or
+  /**
+   * A node representing the overflow keyword arguments to a call.
+   * That is, `call` contains keyword arguments for keys that do not have
+   * keyword parameters in `callable`. These extra ones are passed as
+   * a dictionary to a doubly starred parameter; this synthetic node
+   * represents that dictionary.
+   */
+  TKwOverflowNode(CallNode call, CallableValue callable) {
+    exists(getKeywordOverflowArg(call, callable, _))
+    or
+    exists(call.getNode().getKwargs()) and
+    callable.getScope().hasKwArg()
+  } or
+  /**
+   * A node representing an unpacked element of a dictionary argument.
+   * That is, `call` contains argument `**{"foo": bar}` which is passed
+   * to parameter `foo` of `callable`.
+   */
+  TKwUnpacked(CallNode call, CallableValue callable, string name) {
+    call_unpacks(call, _, callable, name, _)
+  }
 
 /**
  * An element, viewed as a node in a data flow graph. Either an SSA variable
@@ -240,6 +270,49 @@ class ModuleVariableNode extends Node, TModuleVariableNode {
   override Location getLocation() { result = mod.getLocation() }
 }
 
+/**
+ * The node holding the extra positional arguments to a call. This node is passed as a tuple
+ * to the starred parameter of the callable.
+ */
+class PosOverflowNode extends Node, TPosOverflowNode {
+  CallNode call;
+
+  PosOverflowNode() { this = TPosOverflowNode(call, _) }
+
+  override string toString() { result = "PosOverflowNode for " + call.getNode().toString() }
+
+  override Location getLocation() { result = call.getLocation() }
+}
+
+/**
+ * The node holding the extra keyword arguments to a call. This node is passed as a dictionary
+ * to the doubly starred parameter of the callable.
+ */
+class KwOverflowNode extends Node, TKwOverflowNode {
+  CallNode call;
+
+  KwOverflowNode() { this = TKwOverflowNode(call, _) }
+
+  override string toString() { result = "KwOverflowNode for " + call.getNode().toString() }
+
+  override Location getLocation() { result = call.getLocation() }
+}
+
+/**
+ * The node representing the synthetic argument of a call that is unpacked from a dictionary
+ * argument.
+ */
+class KwUnpacked extends Node, TKwUnpacked {
+  CallNode call;
+  string name;
+
+  KwUnpacked() { this = TKwUnpacked(call, _, name) }
+
+  override string toString() { result = "KwUnpacked " + name }
+
+  override Location getLocation() { result = call.getLocation() }
+}
+
 /**
  * A node that controls whether other nodes are evaluated.
  */

python/ql/src/experimental/dataflow/internal/DataFlowPublic.qll

@@ -0,0 +1,211 @@
+import sys
+import os
+
+sys.path.append(os.path.dirname(os.path.dirname((__file__))))
+from testlib import *
+
+arg = "source"
+arg1 = "source1"
+arg2 = "source2"
+arg3 = "source3"
+arg4 = "source4"
+arg5 = "source5"
+arg6 = "source6"
+arg7 = "source7"
+
+
+def SINK_TEST(x, test):
+    if test(x):
+        print("OK")
+    else:
+        print("Unexpected flow", x)
+
+
+def SINK(x, expected=arg):
+    SINK_TEST(x, test=lambda x: x == expected)
+
+
+def SINK_F(x, unexpected=arg):
+    SINK_TEST(x, test=lambda x: x != unexpected)
+
+
+def SINK1(x):
+    SINK(x, expected=arg1)
+
+
+def SINK2(x):
+    SINK(x, expected=arg2)
+
+
+def SINK2_F(x):
+    SINK_F(x, unexpected=arg2)
+
+
+def SINK3(x):
+    SINK(x, expected=arg3)
+
+
+def SINK4(x):
+    SINK(x, expected=arg4)
+
+
+def SINK5(x):
+    SINK(x, expected=arg5)
+
+
+def SINK6(x):
+    SINK(x, expected=arg6)
+
+
+def SINK7(x):
+    SINK(x, expected=arg7)
+
+
+def argument_passing(
+    a,
+    b,
+    /,
+    c,
+    d=arg4,
+    *,
+    e=arg5,
+    f,
+    **g,
+):
+    SINK1(a)
+    SINK2(b)
+    SINK3(c)
+    SINK4(d)
+    SINK5(e)
+    SINK6(f)
+    try:
+        SINK7(g["g"])
+    except:
+        print("OK")
+
+
+@expects(7)
+def test_argument_passing1():
+    argument_passing(arg1, *(arg2, arg3, arg4), e=arg5, **{"f": arg6, "g": arg7})
+
+
+@expects(7)
+def test_argument_passing2():
+    argument_passing(arg1, arg2, arg3, f=arg6)
+
+
+def with_pos_only(a, /, b):
+    SINK1(a)
+    SINK2(b)
+
+
+@expects(6)
+def test_pos_only():
+    with_pos_only(arg1, arg2)
+    with_pos_only(arg1, b=arg2)
+    with_pos_only(arg1, *(arg2,))
+
+
+def with_multiple_kw_args(a, b, c):
+    SINK1(a)
+    SINK2(b)
+    SINK3(c)
+
+
+@expects(9)
+def test_multiple_kw_args():
+    with_multiple_kw_args(b=arg2, c=arg3, a=arg1)
+    with_multiple_kw_args(arg1, *(arg2,), arg3)
+    with_multiple_kw_args(arg1, **{"c": arg3}, b=arg2)
+    with_multiple_kw_args(**{"b": arg2}, **{"c": arg3}, **{"a": arg1})
+
+
+def with_default_arguments(a=arg1, b=arg2, c=arg3):
+    SINK1(a)
+    SINK2(b)
+    SINK3(c)
+
+
+@expects(12)
+def test_default_arguments():
+    with_default_arguments()
+    with_default_arguments(arg1)
+    with_default_arguments(b=arg2)
+    with_default_arguments(**{"c": arg3})
+
+
+# Nested constructor pattern
+def grab_foo_bar_baz(foo, **kwargs):
+    SINK1(foo)
+    grab_bar_baz(**kwargs)
+
+
+# It is not possible to pass `bar` into `kwargs`,
+# since `bar` is a valid keyword argument.
+def grab_bar_baz(bar, **kwargs):
+    SINK2(bar)
+    try:
+        SINK2_F(kwargs["bar"])
+    except:
+        print("OK")
+    grab_baz(**kwargs)
+
+
+def grab_baz(baz):
+    SINK3(baz)
+
+
+@expects(4)
+def test_grab():
+    grab_foo_bar_baz(baz=arg3, bar=arg2, foo=arg1)
+
+
+# All combinations
+def test_pos_pos():
+    def with_pos(a):
+        SINK1(a)
+
+    with_pos(arg1)
+
+
+def test_pos_pos_only():
+    def with_pos_only(a, /):
+        SINK1(a)
+
+    with_pos_only(arg1)
+
+
+def test_pos_star():
+    def with_star(*a):
+        if len(a) > 0:
+            SINK1(a[0])
+
+    with_star(arg1)
+
+
+def test_pos_kw():
+    def with_kw(a=""):
+        SINK1(a)
+
+    with_kw(arg1)
+
+
+def test_kw_pos():
+    def with_pos(a):
+        SINK1(a)
+
+    with_pos(a=arg1)
+
+
+def test_kw_kw():
+    def with_kw(a=""):
+        SINK1(a)
+
+    with_kw(a=arg1)
+
+
+def test_kw_doublestar():
+    def with_doublestar(**a):
+        SINK1(a["a"])
+
+    with_doublestar(a=arg1)

python/ql/test/experimental/dataflow/coverage/argumentPassing.py

@@ -1,16 +1,34 @@
-| classes.py:620:5:620:16 | SSA variable with_getitem | classes.py:614:15:614:18 | ControlFlowNode for self |
-| classes.py:637:5:637:16 | SSA variable with_setitem | classes.py:632:15:632:18 | ControlFlowNode for self |
-| classes.py:654:5:654:16 | SSA variable with_delitem | classes.py:649:15:649:18 | ControlFlowNode for self |
-| classes.py:735:5:735:12 | SSA variable with_add | classes.py:729:15:729:18 | ControlFlowNode for self |
-| classes.py:752:5:752:12 | SSA variable with_sub | classes.py:746:15:746:18 | ControlFlowNode for self |
-| classes.py:769:5:769:12 | SSA variable with_mul | classes.py:763:15:763:18 | ControlFlowNode for self |
-| classes.py:786:5:786:15 | SSA variable with_matmul | classes.py:780:15:780:18 | ControlFlowNode for self |
-| classes.py:803:5:803:16 | SSA variable with_truediv | classes.py:797:15:797:18 | ControlFlowNode for self |
-| classes.py:820:5:820:17 | SSA variable with_floordiv | classes.py:814:15:814:18 | ControlFlowNode for self |
-| classes.py:837:5:837:12 | SSA variable with_mod | classes.py:831:15:831:18 | ControlFlowNode for self |
-| classes.py:877:5:877:12 | SSA variable with_pow | classes.py:865:15:865:18 | ControlFlowNode for self |
-| classes.py:894:5:894:15 | SSA variable with_lshift | classes.py:888:15:888:18 | ControlFlowNode for self |
-| classes.py:911:5:911:15 | SSA variable with_rshift | classes.py:905:15:905:18 | ControlFlowNode for self |
-| classes.py:928:5:928:12 | SSA variable with_and | classes.py:922:15:922:18 | ControlFlowNode for self |
-| classes.py:945:5:945:12 | SSA variable with_xor | classes.py:939:15:939:18 | ControlFlowNode for self |
-| classes.py:962:5:962:11 | SSA variable with_or | classes.py:956:15:956:18 | ControlFlowNode for self |
+| argumentPassing.py:89:22:89:25 | ControlFlowNode for arg1 | argumentPassing.py:75:11:75:11 | ControlFlowNode for a |
+| argumentPassing.py:94:22:94:25 | ControlFlowNode for arg1 | argumentPassing.py:75:11:75:11 | ControlFlowNode for a |
+| argumentPassing.py:104:19:104:22 | ControlFlowNode for arg1 | argumentPassing.py:98:11:98:11 | ControlFlowNode for a |
+| argumentPassing.py:105:19:105:22 | ControlFlowNode for arg1 | argumentPassing.py:98:11:98:11 | ControlFlowNode for a |
+| argumentPassing.py:106:19:106:22 | ControlFlowNode for arg1 | argumentPassing.py:98:11:98:11 | ControlFlowNode for a |
+| argumentPassing.py:117:45:117:48 | ControlFlowNode for arg1 | argumentPassing.py:110:11:110:11 | ControlFlowNode for a |
+| argumentPassing.py:118:27:118:30 | ControlFlowNode for arg1 | argumentPassing.py:110:11:110:11 | ControlFlowNode for a |
+| argumentPassing.py:119:27:119:30 | ControlFlowNode for arg1 | argumentPassing.py:110:11:110:11 | ControlFlowNode for a |
+| argumentPassing.py:120:65:120:68 | ControlFlowNode for arg1 | argumentPassing.py:110:11:110:11 | ControlFlowNode for a |
+| argumentPassing.py:132:28:132:31 | ControlFlowNode for arg1 | argumentPassing.py:124:11:124:11 | ControlFlowNode for a |
+| argumentPassing.py:160:46:160:49 | ControlFlowNode for arg1 | argumentPassing.py:139:11:139:13 | ControlFlowNode for foo |
+| argumentPassing.py:168:14:168:17 | ControlFlowNode for arg1 | argumentPassing.py:166:15:166:15 | ControlFlowNode for a |
+| argumentPassing.py:175:19:175:22 | ControlFlowNode for arg1 | argumentPassing.py:173:15:173:15 | ControlFlowNode for a |
+| argumentPassing.py:183:15:183:18 | ControlFlowNode for arg1 | argumentPassing.py:181:19:181:22 | ControlFlowNode for Subscript |
+| argumentPassing.py:190:13:190:16 | ControlFlowNode for arg1 | argumentPassing.py:188:15:188:15 | ControlFlowNode for a |
+| argumentPassing.py:197:16:197:19 | ControlFlowNode for arg1 | argumentPassing.py:195:15:195:15 | ControlFlowNode for a |
+| argumentPassing.py:204:15:204:18 | ControlFlowNode for arg1 | argumentPassing.py:202:15:202:15 | ControlFlowNode for a |
+| argumentPassing.py:211:23:211:26 | ControlFlowNode for arg1 | argumentPassing.py:209:15:209:20 | ControlFlowNode for Subscript |
+| classes.py:563:5:563:16 | SSA variable with_getitem | classes.py:557:15:557:18 | ControlFlowNode for self |
+| classes.py:578:5:578:16 | SSA variable with_setitem | classes.py:573:15:573:18 | ControlFlowNode for self |
+| classes.py:593:5:593:16 | SSA variable with_delitem | classes.py:588:15:588:18 | ControlFlowNode for self |
+| classes.py:665:5:665:12 | SSA variable with_add | classes.py:659:15:659:18 | ControlFlowNode for self |
+| classes.py:680:5:680:12 | SSA variable with_sub | classes.py:674:15:674:18 | ControlFlowNode for self |
+| classes.py:695:5:695:12 | SSA variable with_mul | classes.py:689:15:689:18 | ControlFlowNode for self |
+| classes.py:710:5:710:15 | SSA variable with_matmul | classes.py:704:15:704:18 | ControlFlowNode for self |
+| classes.py:725:5:725:16 | SSA variable with_truediv | classes.py:719:15:719:18 | ControlFlowNode for self |
+| classes.py:740:5:740:17 | SSA variable with_floordiv | classes.py:734:15:734:18 | ControlFlowNode for self |
+| classes.py:755:5:755:12 | SSA variable with_mod | classes.py:749:15:749:18 | ControlFlowNode for self |
+| classes.py:791:5:791:12 | SSA variable with_pow | classes.py:779:15:779:18 | ControlFlowNode for self |
+| classes.py:806:5:806:15 | SSA variable with_lshift | classes.py:800:15:800:18 | ControlFlowNode for self |
+| classes.py:821:5:821:15 | SSA variable with_rshift | classes.py:815:15:815:18 | ControlFlowNode for self |
+| classes.py:836:5:836:12 | SSA variable with_and | classes.py:830:15:830:18 | ControlFlowNode for self |
+| classes.py:851:5:851:12 | SSA variable with_xor | classes.py:845:15:845:18 | ControlFlowNode for self |
+| classes.py:866:5:866:11 | SSA variable with_or | classes.py:860:15:860:18 | ControlFlowNode for self |

python/ql/test/experimental/dataflow/coverage/argumentRouting1.expected

@@ -9,6 +9,8 @@ class ArgumentRoutingConfig extends DataFlow::Configuration {
   ArgumentRoutingConfig() { this = "ArgumentRoutingConfig" }
 
   override predicate isSource(DataFlow::Node node) {
+    node.(DataFlow::CfgNode).getNode().(NameNode).getId() = "arg1"
+    or
     exists(AssignmentDefinition def, DataFlowPrivate::DataFlowCall call |
       def.getVariable() = node.(DataFlow::EssaNode).getVar() and
       def.getValue() = call.getNode() and
@@ -27,7 +29,7 @@ class ArgumentRoutingConfig extends DataFlow::Configuration {
 
 from DataFlow::Node source, DataFlow::Node sink
 where
-  source.getLocation().getFile().getBaseName() = "classes.py" and
-  sink.getLocation().getFile().getBaseName() = "classes.py" and
+  source.getLocation().getFile().getBaseName() in ["classes.py", "argumentPassing.py"] and
+  sink.getLocation().getFile().getBaseName() in ["classes.py", "argumentPassing.py"] and
   exists(ArgumentRoutingConfig cfg | cfg.hasFlow(source, sink))
 select source, sink