Python: IPA type for arguemnt mappings

Not sure how arg2 in line 118 is achieved

Author: yoff

python/ql/src/experimental/dataflow/internal/DataFlowPrivate.qll

@@ -261,7 +261,7 @@ private Node update(Node node) {
  * When a call contains an iterable unpacking argument, such as `func(*args)`, it is expanded into positional arguments.
  *
  * CURRENTLY NOT SUPPORTED:
- * When a call contains an iterable unpacking argument, such as `func(*args)`, and the callee contains a starred argument, any extra
+ * If a call contains an iterable unpacking argument, such as `func(*args)`, and the callee contains a starred argument, any extra
  * positional arguments are passed to the starred argument.
  *
  * When a call contains keyword arguments that do not correspond to keyword parameters, these
@@ -313,7 +313,7 @@ private Node update(Node node) {
  * `y`. There is a dataflow step from `**{"y": 1, "a": 3}` to `[**d]` to transfer the content and
  * a clearing of content at key `y` for node `[**d]`, since that value has been unpacked.
  */
-module ArgumentPassing {
+private module ArgumentPassing {
   /**
    * Holds if `call` represents a `DataFlowCall` to a `DataFlowCallable` represented by `callable`.
    *
@@ -354,23 +354,57 @@ module ArgumentPassing {
     )
   }
 
+  /**
+   * A type representing a mapping from argument indices to parameter indices.
+   * We currently use two mappings: NoShift, the identity, used for ordinary
+   * function calls, and ShiftOne which is used for calls where an extra argument
+   * is inserted. These include method calls, constructor calls and class calls.
+   * In these calls, the argument at index `n` is mapped to the parameter at position `n+1`.
+   */
+  newtype TArgParamMapping =
+    TNoShift() or
+    TShiftOne()
+
+  /** A mapping used for parameter passing. */
+  abstract class ArgParamMapping extends TArgParamMapping {
+    bindingset[result]
+    abstract int getArgN(int paramN);
+
+    string toString() { none() }
+  }
+
+  /** A mapping that passes argument `n` to parameter `n`. */
+  class NoShift extends ArgParamMapping, TNoShift {
+    NoShift() { this = TNoShift() }
+
+    bindingset[result]
+    override int getArgN(int paramN) { result = paramN }
+  }
+
+  /** A mapping that passes argument `n` to parameter `n+1`. */
+  class ShiftOne extends ArgParamMapping, TShiftOne {
+    ShiftOne() { this = TShiftOne() }
+
+    bindingset[result]
+    override int getArgN(int paramN) { result = paramN - 1 }
+  }
+
   /**
    * Gets the node representing the argument to `call` that is passed to the parameter at
    * (zero-based) index `paramN` in `callable`. If this is a positional argument, it must appear
-   * at index `argN` in `call`.
+   * at index `mapping.getArgN(paramN)` in `call`.
    *
-   * `argN` will differ from `paramN` for method- or constructor calls, where the first parameter
+   * `mapping.getArgN(paramN)` will differ from `paramN` for method- or constructor calls, where the first parameter
    * is `self` and the first positional argument is passed to the second positional parameter.
    * Similarly for classmethod calls, where the first parameter is `cls`.
    *
    * NOT SUPPORTED: Keyword-only parameters.
    */
-  Node getArg(CallNode call, int argN, CallableValue callable, int paramN) {
+  Node getArg(CallNode call, ArgParamMapping mapping, CallableValue callable, int paramN) {
     connects(call, callable) and
-    paramN - argN in [0, 1] and // constrain for now to limit the size of the predicate; we only use it to insert one argument (self).
     (
       // positional argument
-      result = TCfgNode(call.getArg(argN))
+      result = TCfgNode(call.getArg(mapping.getArgN(paramN)))
       or
       // keyword argument
       // TODO: Since `getArgName` have no results for keyword-only parameters,
@@ -393,7 +427,7 @@ module ArgumentPassing {
       or
       // argument unpacked from dict
       exists(string name |
-        call_unpacks(call, argN, callable, name, paramN) and
+        call_unpacks(call, mapping, callable, name, paramN) and
         result = TKwUnpacked(call, callable, name)
       )
     )
@@ -425,20 +459,21 @@ module ArgumentPassing {
 
   /**
    * Holds if `call` unpacks a dictionary argument in order to pass it via `name`.
-   * It will then be passed to the `n`th parameter of `callable`.
+   * It will then be passed to the parameter of `callable` at index `paramN`.
    */
-  predicate call_unpacks(CallNode call, int argNr, CallableValue callable, string name, int n) {
+  predicate call_unpacks(
+    CallNode call, ArgParamMapping mapping, CallableValue callable, string name, int paramN
+  ) {
     connects(call, callable) and
-    n - argNr in [0, 1] and
     exists(Function f |
       f = callable.getScope() and
-      not exists(call.getArg(argNr)) and // no positional arguement available
-      name = f.getArgName(n) and
+      not exists(call.getArg(mapping.getArgN(paramN))) and // no positional argument available
+      name = f.getArgName(paramN) and
       // not exists(call.getArgByName(name)) and // only matches keyword arguments not preceded by **
       // TODO: make the below logic respect control flow splitting (by not going to the AST).
       not call.getNode().getANamedArg().(Keyword).getArg() = name and // no keyword argument available
-      n >= 0 and
-      n < f.getPositionalParameterCount() + f.getKeywordOnlyParameterCount() and
+      paramN >= 0 and
+      paramN < f.getPositionalParameterCount() + f.getKeywordOnlyParameterCount() and
       exists(call.getNode().getKwargs()) // dict argument available
     )
   }
@@ -581,7 +616,7 @@ class FunctionCall extends DataFlowCall, TFunctionCall {
 
   override string toString() { result = call.toString() }
 
-  override Node getArg(int n) { result = getArg(call, n, callable.getCallableValue(), n) }
+  override Node getArg(int n) { result = getArg(call, TNoShift(), callable.getCallableValue(), n) }
 
   override ControlFlowNode getNode() { result = call }
 
@@ -608,7 +643,7 @@ class MethodCall extends DataFlowCall, TMethodCall {
   override string toString() { result = call.toString() }
 
   override Node getArg(int n) {
-    n > 0 and result = getArg(call, n - 1, this.getCallableValue(), n)
+    n > 0 and result = getArg(call, TShiftOne(), this.getCallableValue(), n)
     or
     n = 0 and result = TCfgNode(call.getFunction().(AttrNode).getObject())
   }
@@ -640,7 +675,7 @@ class ClassCall extends DataFlowCall, TClassCall {
   override string toString() { result = call.toString() }
 
   override Node getArg(int n) {
-    n > 0 and result = getArg(call, n - 1, this.getCallableValue(), n)
+    n > 0 and result = getArg(call, TShiftOne(), this.getCallableValue(), n)
     or
     n = 0 and result = TSyntheticPreUpdateNode(TCfgNode(call))
   }

python/ql/test/experimental/dataflow/coverage/argumentPassing.py

@@ -117,6 +117,7 @@ def test_multiple_kw_args():
     with_multiple_kw_args(b=arg2, c=arg3, a=arg1)
     with_multiple_kw_args(arg1, *(arg2,), arg3)
     with_multiple_kw_args(arg1, **{"c": arg3}, b=arg2)
+    with_multiple_kw_args(**{"b": arg2}, **{"c": arg3}, **{"a": arg1})
 
 
 def with_default_arguments(a=arg1, b=arg2, c=arg3):

python/ql/test/experimental/dataflow/coverage/argumentRouting1.expected

@@ -6,15 +6,16 @@
 | argumentPassing.py:117:45:117:48 | ControlFlowNode for arg1 | argumentPassing.py:110:11:110:11 | ControlFlowNode for a |
 | argumentPassing.py:118:27:118:30 | ControlFlowNode for arg1 | argumentPassing.py:110:11:110:11 | ControlFlowNode for a |
 | argumentPassing.py:119:27:119:30 | ControlFlowNode for arg1 | argumentPassing.py:110:11:110:11 | ControlFlowNode for a |
-| argumentPassing.py:131:28:131:31 | ControlFlowNode for arg1 | argumentPassing.py:123:11:123:11 | ControlFlowNode for a |
-| argumentPassing.py:159:46:159:49 | ControlFlowNode for arg1 | argumentPassing.py:138:11:138:13 | ControlFlowNode for foo |
-| argumentPassing.py:167:14:167:17 | ControlFlowNode for arg1 | argumentPassing.py:165:15:165:15 | ControlFlowNode for a |
-| argumentPassing.py:174:19:174:22 | ControlFlowNode for arg1 | argumentPassing.py:172:15:172:15 | ControlFlowNode for a |
-| argumentPassing.py:182:15:182:18 | ControlFlowNode for arg1 | argumentPassing.py:180:19:180:22 | ControlFlowNode for Subscript |
-| argumentPassing.py:189:13:189:16 | ControlFlowNode for arg1 | argumentPassing.py:187:15:187:15 | ControlFlowNode for a |
-| argumentPassing.py:196:16:196:19 | ControlFlowNode for arg1 | argumentPassing.py:194:15:194:15 | ControlFlowNode for a |
-| argumentPassing.py:203:15:203:18 | ControlFlowNode for arg1 | argumentPassing.py:201:15:201:15 | ControlFlowNode for a |
-| argumentPassing.py:210:23:210:26 | ControlFlowNode for arg1 | argumentPassing.py:208:15:208:20 | ControlFlowNode for Subscript |
+| argumentPassing.py:120:65:120:68 | ControlFlowNode for arg1 | argumentPassing.py:110:11:110:11 | ControlFlowNode for a |
+| argumentPassing.py:132:28:132:31 | ControlFlowNode for arg1 | argumentPassing.py:124:11:124:11 | ControlFlowNode for a |
+| argumentPassing.py:160:46:160:49 | ControlFlowNode for arg1 | argumentPassing.py:139:11:139:13 | ControlFlowNode for foo |
+| argumentPassing.py:168:14:168:17 | ControlFlowNode for arg1 | argumentPassing.py:166:15:166:15 | ControlFlowNode for a |
+| argumentPassing.py:175:19:175:22 | ControlFlowNode for arg1 | argumentPassing.py:173:15:173:15 | ControlFlowNode for a |
+| argumentPassing.py:183:15:183:18 | ControlFlowNode for arg1 | argumentPassing.py:181:19:181:22 | ControlFlowNode for Subscript |
+| argumentPassing.py:190:13:190:16 | ControlFlowNode for arg1 | argumentPassing.py:188:15:188:15 | ControlFlowNode for a |
+| argumentPassing.py:197:16:197:19 | ControlFlowNode for arg1 | argumentPassing.py:195:15:195:15 | ControlFlowNode for a |
+| argumentPassing.py:204:15:204:18 | ControlFlowNode for arg1 | argumentPassing.py:202:15:202:15 | ControlFlowNode for a |
+| argumentPassing.py:211:23:211:26 | ControlFlowNode for arg1 | argumentPassing.py:209:15:209:20 | ControlFlowNode for Subscript |
 | classes.py:563:5:563:16 | SSA variable with_getitem | classes.py:557:15:557:18 | ControlFlowNode for self |
 | classes.py:578:5:578:16 | SSA variable with_setitem | classes.py:573:15:573:18 | ControlFlowNode for self |
 | classes.py:593:5:593:16 | SSA variable with_delitem | classes.py:588:15:588:18 | ControlFlowNode for self |

python/ql/test/experimental/dataflow/coverage/argumentRouting2.expected

@@ -2,8 +2,11 @@
 | argumentPassing.py:104:25:104:28 | ControlFlowNode for arg2 | argumentPassing.py:99:11:99:11 | ControlFlowNode for b |
 | argumentPassing.py:105:27:105:30 | ControlFlowNode for arg2 | argumentPassing.py:99:11:99:11 | ControlFlowNode for b |
 | argumentPassing.py:117:29:117:32 | ControlFlowNode for arg2 | argumentPassing.py:111:11:111:11 | ControlFlowNode for b |
-| argumentPassing.py:132:30:132:33 | ControlFlowNode for arg2 | argumentPassing.py:124:11:124:11 | ControlFlowNode for b |
-| argumentPassing.py:159:36:159:39 | ControlFlowNode for arg2 | argumentPassing.py:145:11:145:13 | ControlFlowNode for bar |
+| argumentPassing.py:118:35:118:38 | ControlFlowNode for arg2 | argumentPassing.py:111:11:111:11 | ControlFlowNode for b |
+| argumentPassing.py:119:50:119:53 | ControlFlowNode for arg2 | argumentPassing.py:111:11:111:11 | ControlFlowNode for b |
+| argumentPassing.py:120:35:120:38 | ControlFlowNode for arg2 | argumentPassing.py:111:11:111:11 | ControlFlowNode for b |
+| argumentPassing.py:133:30:133:33 | ControlFlowNode for arg2 | argumentPassing.py:125:11:125:11 | ControlFlowNode for b |
+| argumentPassing.py:160:36:160:39 | ControlFlowNode for arg2 | argumentPassing.py:146:11:146:13 | ControlFlowNode for bar |
 | classes.py:565:18:565:21 | ControlFlowNode for arg2 | classes.py:556:15:556:17 | ControlFlowNode for key |
 | classes.py:581:18:581:21 | ControlFlowNode for arg2 | classes.py:572:15:572:17 | ControlFlowNode for key |
 | classes.py:595:22:595:25 | ControlFlowNode for arg2 | classes.py:587:15:587:17 | ControlFlowNode for key |

python/ql/test/experimental/dataflow/coverage/argumentRouting3.expected

@@ -2,6 +2,7 @@
 | argumentPassing.py:117:37:117:40 | ControlFlowNode for arg3 | argumentPassing.py:112:11:112:11 | ControlFlowNode for c |
 | argumentPassing.py:118:43:118:46 | ControlFlowNode for arg3 | argumentPassing.py:112:11:112:11 | ControlFlowNode for c |
 | argumentPassing.py:119:41:119:44 | ControlFlowNode for arg3 | argumentPassing.py:112:11:112:11 | ControlFlowNode for c |
-| argumentPassing.py:133:36:133:39 | ControlFlowNode for arg3 | argumentPassing.py:125:11:125:11 | ControlFlowNode for c |
-| argumentPassing.py:159:26:159:29 | ControlFlowNode for arg3 | argumentPassing.py:154:11:154:13 | ControlFlowNode for baz |
+| argumentPassing.py:120:50:120:53 | ControlFlowNode for arg3 | argumentPassing.py:112:11:112:11 | ControlFlowNode for c |
+| argumentPassing.py:134:36:134:39 | ControlFlowNode for arg3 | argumentPassing.py:126:11:126:11 | ControlFlowNode for c |
+| argumentPassing.py:160:26:160:29 | ControlFlowNode for arg3 | argumentPassing.py:155:11:155:13 | ControlFlowNode for baz |
 | classes.py:581:26:581:29 | ControlFlowNode for arg3 | classes.py:571:15:571:19 | ControlFlowNode for value |