You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
predicate pointsTo(Context context, Value object, ControlFlowNode origin)
38
38
39
-
``object`` is an object that the control flow node refers to, ``origin`` is where the object comes from, which is useful for displaying meaningful results.
40
-
The third form includes the ``context`` in which the control flow node refers to ``object``. This form can usually be ignored.
39
+
``object`` is an object that the control flow node refers to, and ``origin`` is where the object comes from, which is useful for displaying meaningful results.
40
+
The third form includes the ``context`` in which the control flow node refers to the ``object``. This form can usually be ignored.
41
41
42
42
.. pull-quote::
43
43
44
44
Note
45
45
46
-
``ControlFlowNode.pointsTo()`` cannot find all objects that a control flow node might point to as it impossible to be accurate andfind all possible values. We prefer precision (no incorrect values) over recall (finding as many values as possible). We do this because queries based on points-to analysis have fewer false positives and are thus more useful.
46
+
``ControlFlowNode.pointsTo()`` cannot find all objects that a control flow node might point to as it is impossible to be accurate *and* to find all possible values. We prefer precision (no incorrect values) over recall (finding as many values as possible). We do this so that queries based on points-to analysis have fewer false positive results and are thus more useful.
47
47
48
48
For complex data flow analyses, involving multiple stages, the ``ControlFlowNode`` version is more precise, but for simple use cases the ``Expr`` based version is easier to use. For convenience, the ``Expr`` class also has the same three predicates. ``Expr.pointsTo(...)`` also has three variants:
49
49
@@ -149,15 +149,15 @@ Then we need to determine if the object ``iter`` is iterable. We can test ``Clas
149
149
150
150
.. code-block:: ql
151
151
152
-
import python
153
-
154
-
from For loop, Value iter, ClassValue cls
155
-
where loop.getIter().pointsTo(iter) and
156
-
cls = iter.getClass() and
157
-
not cls.hasAttribute("__iter__")
158
-
select loop, cls
152
+
import python
159
153
160
-
➤ `See this in the query console <https://lgtm.com/query/670720182/>`__. Many projects use a non-iterable as a loop iterator.
154
+
from For loop, Value iter, ClassValue cls
155
+
where loop.getIter().getAFlowNode().pointsTo(iter) and
156
+
cls = iter.getClass() and
157
+
not exists(cls.lookup("__iter__"))
158
+
select loop, cls
159
+
160
+
➤ `See this in the query console <https://lgtm.com/query/5636475906111506420/>`__. Many projects use a non-iterable as a loop iterator.
161
161
162
162
Many of the results shown will have ``cls`` as ``NoneType``. It is more informative to show where these ``None`` values may come from. To do this we use the final field of ``pointsTo``, as follows:
163
163
@@ -194,7 +194,7 @@ The original query looked this:
194
194
where call.getFunc() = name and name.getId() = "eval"
195
195
select call, "call to 'eval'."
196
196
197
-
➤ `See this in the query console <https://lgtm.com/query/6718356557331218618/>`__. Two of the demo projects on LGTM.com have calls that match this pattern.
197
+
➤ `See this in the query console <https://lgtm.com/query/6718356557331218618/>`__. Some of the demo projects on LGTM.com have calls that match this pattern.
198
198
199
199
There are two problems with this query:
200
200
@@ -222,7 +222,7 @@ Then we can use ``Value.getACall()`` to identify calls to the ``eval`` function,
222
222
call = eval.getACall()
223
223
select call, "call to 'eval'."
224
224
225
-
➤ `See this in the query console <https://lgtm.com/query/535131812579637425/>`__. This accurately identifies calls to the builtin ``eval`` function even when they are referred to using an alternative name. Any false positive results with calls to other ``eval`` functions, reported by the original query, have been eliminated. It finds one result in files referenced by the *saltstack/salt* project.
225
+
➤ `See this in the query console <https://lgtm.com/query/535131812579637425/>`__. This accurately identifies calls to the builtin ``eval`` function even when they are referred to using an alternative name. Any false positive results with calls to other ``eval`` functions, reported by the original query, have been eliminated.
0 commit comments