Python points-to: Prevent bad magic on 'refersTo' member predicates.

markshannon · markshannon · commit 6a79e0aaa7b9 · 2019-06-03T12:22:22.000+01:00
diff --git a/python/ql/src/semmle/python/Exprs.qll b/python/ql/src/semmle/python/Exprs.qll
@@ -85,30 +85,16 @@ class Expr extends Expr_, AstNode {
     /** Gets what this expression might "refer-to" in the given `context`.
      */
     predicate refersTo(Context context, Object obj, ClassObject cls, AstNode origin) {
-        exists(Value value, ControlFlowNode cfgorigin |
-            PointsTo::pointsTo(this.getAFlowNode(), context, value, cfgorigin) and
-            origin.getAFlowNode() = cfgorigin and
-            cls = value.getClass().getSource() |
-            if exists(value.getSource()) then
-                obj = value.getSource()
-            else
-                obj = cfgorigin
-        )
+        this.getAFlowNode().refersTo(context, obj, cls, origin.getAFlowNode())
     }
 
     /** Whether this expression might "refer-to" to `value` which is from `origin` 
      * Unlike `this.refersTo(value, _, origin)`, this predicate includes results 
      * where the class cannot be inferred.
      */
+    pragma[nomagic]
     predicate refersTo(Object obj, AstNode origin) {
-        exists(Value value, ControlFlowNode cfgorigin |
-            PointsTo::pointsTo(this.getAFlowNode(), _, value, cfgorigin) and
-            origin.getAFlowNode() = cfgorigin and
-            if exists(value.getSource()) then
-                obj = value.getSource()
-            else
-                obj = cfgorigin
-        )
+        this.getAFlowNode().refersTo(obj, origin.getAFlowNode())
     }
 
     /** Equivalent to `this.refersTo(value, _)` */
diff --git a/python/ql/src/semmle/python/Flow.qll b/python/ql/src/semmle/python/Flow.qll
@@ -237,12 +237,14 @@ class ControlFlowNode extends @py_flow_node {
      *  precise, but may not provide information for a significant number of flow-nodes. 
      *  If the class is unimportant then use `refersTo(value)` or `refersTo(value, origin)` instead.
      */
+    pragma [nomagic]
     predicate refersTo(Object obj, ClassObject cls, ControlFlowNode origin) {
         this.refersTo(_, obj, cls, origin)
     }
 
     /** Gets what this expression might "refer-to" in the given `context`.
      */
+    pragma [nomagic]
     predicate refersTo(Context context, Object obj, ClassObject cls, ControlFlowNode origin) {
         not obj = unknownValue() and
         not cls = theUnknownType() and
@@ -253,6 +255,7 @@ class ControlFlowNode extends @py_flow_node {
      * Unlike `this.refersTo(value, _, origin)` this predicate includes results 
      * where the class cannot be inferred. 
      */
+    pragma [nomagic]
     predicate refersTo(Object obj, ControlFlowNode origin) {
         not obj = unknownValue() and
         PointsTo::points_to(this, _, obj, _, origin)
