Merge pull request #1473 from markshannon/python-points-to-more-unknowns

Python: Fix getOperand for 'not' node and make sure it can only point-to a boolean.

Author: taus-semmle

python/ql/src/semmle/python/Flow.qll

@@ -707,10 +707,14 @@ class UnaryExprNode extends ControlFlowNode {
         toAst(this) instanceof UnaryExpr
     }
 
-    /** flow node corresponding to the operand of a unary expression */
+    /** Gets flow node corresponding to the operand of a unary expression.
+     * Note that this might not be the flow node for the AST operand.
+     * In `not (a or b)` the AST operand is `(a or b)`, but as `a or b` is
+     * a short-circuiting operation, there will be two `not` CFG nodes, one will
+     * have `a` or `b` as it operand, the other will have just `b`.
+     */
      ControlFlowNode getOperand() {
-        exists(UnaryExpr u | this.getNode() = u and result.getNode() = u.getOperand()) and
-        result.getBasicBlock().dominates(this.getBasicBlock())
+         result = this.getAPredecessor()
     }
 
     override UnaryExpr getNode() { result = super.getNode() }

python/ql/src/semmle/python/pointsto/PointsTo.qll

@@ -1238,7 +1238,7 @@ module Expressions {
             or
             op instanceof USub and value = ObjectInternal::fromInt(-opvalue.intValue())
             or
-            opvalue = ObjectInternal::unknown() and value = opvalue
+            not op instanceof Not and opvalue = ObjectInternal::unknown() and value = opvalue
         ) and
         origin = u
     }

python/ql/test/library-tests/PointsTo/new/PointsToUnknown.expected

@@ -2,9 +2,7 @@
 | a_simple.py:24 | ControlFlowNode for x | 23 |
 | a_simple.py:29 | ControlFlowNode for x | 27 |
 | a_simple.py:35 | ControlFlowNode for Subscript | 35 |
-| a_simple.py:35 | ControlFlowNode for UnaryExpr | 35 |
 | a_simple.py:36 | ControlFlowNode for Subscript | 36 |
-| a_simple.py:36 | ControlFlowNode for UnaryExpr | 36 |
 | b_condition.py:5 | ControlFlowNode for IfExp | 5 |
 | b_condition.py:5 | ControlFlowNode for cond | 5 |
 | b_condition.py:5 | ControlFlowNode for unknown | 5 |
@@ -25,7 +23,6 @@
 | b_condition.py:17 | ControlFlowNode for cond | 17 |
 | b_condition.py:17 | ControlFlowNode for unknown | 17 |
 | b_condition.py:17 | ControlFlowNode for unknown() | 17 |
-| b_condition.py:19 | ControlFlowNode for UnaryExpr | 19 |
 | b_condition.py:19 | ControlFlowNode for x | 17 |
 | b_condition.py:21 | ControlFlowNode for use | 21 |
 | b_condition.py:21 | ControlFlowNode for use() | 21 |
@@ -48,7 +45,6 @@
 | b_condition.py:31 | ControlFlowNode for cond | 31 |
 | b_condition.py:31 | ControlFlowNode for unknown | 31 |
 | b_condition.py:31 | ControlFlowNode for unknown() | 31 |
-| b_condition.py:32 | ControlFlowNode for UnaryExpr | 32 |
 | b_condition.py:32 | ControlFlowNode for x | 31 |
 | b_condition.py:34 | ControlFlowNode for use | 34 |
 | b_condition.py:34 | ControlFlowNode for use() | 34 |
@@ -89,7 +85,6 @@
 | b_condition.py:70 | ControlFlowNode for cond | 70 |
 | b_condition.py:70 | ControlFlowNode for unknown | 70 |
 | b_condition.py:70 | ControlFlowNode for unknown() | 70 |
-| b_condition.py:71 | ControlFlowNode for UnaryExpr | 71 |
 | b_condition.py:71 | ControlFlowNode for b | 70 |
 | b_condition.py:73 | ControlFlowNode for b | 70 |
 | b_condition.py:79 | ControlFlowNode for use | 79 |
@@ -112,8 +107,8 @@
 | b_condition.py:97 | ControlFlowNode for x | 87 |
 | b_condition.py:99 | ControlFlowNode for use | 99 |
 | b_condition.py:99 | ControlFlowNode for use() | 99 |
+| b_condition.py:99 | ControlFlowNode for x | 87 |
 | b_condition.py:105 | ControlFlowNode for Subscript | 105 |
-| b_condition.py:105 | ControlFlowNode for UnaryExpr | 105 |
 | b_condition.py:110 | ControlFlowNode for Attribute | 110 |
 | b_condition.py:110 | ControlFlowNode for Attribute() | 110 |
 | b_condition.py:110 | ControlFlowNode for x | 109 |
@@ -178,7 +173,6 @@
 | c_tests.py:83 | ControlFlowNode for cond | 83 |
 | c_tests.py:83 | ControlFlowNode for unknown | 83 |
 | c_tests.py:83 | ControlFlowNode for unknown() | 83 |
-| c_tests.py:84 | ControlFlowNode for UnaryExpr | 84 |
 | c_tests.py:84 | ControlFlowNode for b | 83 |
 | c_tests.py:85 | ControlFlowNode for b | 83 |
 | c_tests.py:87 | ControlFlowNode for unknown | 87 |
@@ -193,7 +187,6 @@
 | c_tests.py:94 | ControlFlowNode for cond | 94 |
 | c_tests.py:94 | ControlFlowNode for unknown | 94 |
 | c_tests.py:94 | ControlFlowNode for unknown() | 94 |
-| c_tests.py:95 | ControlFlowNode for UnaryExpr | 95 |
 | c_tests.py:95 | ControlFlowNode for x | 94 |
 | c_tests.py:99 | ControlFlowNode for bar | 99 |
 | c_tests.py:99 | ControlFlowNode for bar() | 99 |
@@ -222,7 +215,6 @@
 | r_regressions.py:29 | ControlFlowNode for x | 27 |
 | r_regressions.py:31 | ControlFlowNode for y | 27 |
 | r_regressions.py:33 | ControlFlowNode for y | 27 |
-| r_regressions.py:35 | ControlFlowNode for UnaryExpr | 35 |
 | r_regressions.py:36 | ControlFlowNode for z | 27 |
 | r_regressions.py:39 | ControlFlowNode for use | 39 |
 | r_regressions.py:39 | ControlFlowNode for use() | 39 |

python/ql/test/library-tests/PointsTo/new/PointsToWithContext.expected

@@ -159,6 +159,8 @@ WARNING: Predicate points_to has been deprecated and may be removed in future (P
 | b_condition.py:87 | ControlFlowNode for split_bool1 | Function split_bool1 | builtin-class function | 87 | import |
 | b_condition.py:88 | ControlFlowNode for x | NoneType None | builtin-class NoneType | 87 | runtime |
 | b_condition.py:88 | ControlFlowNode for y | NoneType None | builtin-class NoneType | 87 | runtime |
+| b_condition.py:90 | ControlFlowNode for UnaryExpr | bool False | builtin-class bool | 90 | runtime |
+| b_condition.py:90 | ControlFlowNode for UnaryExpr | bool True | builtin-class bool | 90 | runtime |
 | b_condition.py:90 | ControlFlowNode for x | NoneType None | builtin-class NoneType | 87 | runtime |
 | b_condition.py:90 | ControlFlowNode for y | NoneType None | builtin-class NoneType | 87 | runtime |
 | b_condition.py:92 | ControlFlowNode for x | NoneType None | builtin-class NoneType | 87 | runtime |

python/ql/test/library-tests/PointsTo/new/PointsToWithType.expected

@@ -159,6 +159,8 @@ WARNING: Predicate points_to has been deprecated and may be removed in future (P
 | b_condition.py:87 | ControlFlowNode for split_bool1 | Function split_bool1 | builtin-class function | 87 |
 | b_condition.py:88 | ControlFlowNode for x | NoneType None | builtin-class NoneType | 87 |
 | b_condition.py:88 | ControlFlowNode for y | NoneType None | builtin-class NoneType | 87 |
+| b_condition.py:90 | ControlFlowNode for UnaryExpr | bool False | builtin-class bool | 90 |
+| b_condition.py:90 | ControlFlowNode for UnaryExpr | bool True | builtin-class bool | 90 |
 | b_condition.py:90 | ControlFlowNode for x | NoneType None | builtin-class NoneType | 87 |
 | b_condition.py:90 | ControlFlowNode for y | NoneType None | builtin-class NoneType | 87 |
 | b_condition.py:92 | ControlFlowNode for x | NoneType None | builtin-class NoneType | 87 |

python/ql/test/library-tests/PointsTo/new/Values.expected

@@ -115,6 +115,8 @@
 | b_condition.py:87 | ControlFlowNode for None | import | None | builtin-class NoneType |
 | b_condition.py:88 | ControlFlowNode for x | runtime | None | builtin-class NoneType |
 | b_condition.py:88 | ControlFlowNode for y | runtime | None | builtin-class NoneType |
+| b_condition.py:90 | ControlFlowNode for UnaryExpr | runtime | bool False | builtin-class bool |
+| b_condition.py:90 | ControlFlowNode for UnaryExpr | runtime | bool True | builtin-class bool |
 | b_condition.py:90 | ControlFlowNode for x | runtime | None | builtin-class NoneType |
 | b_condition.py:90 | ControlFlowNode for y | runtime | None | builtin-class NoneType |
 | b_condition.py:92 | ControlFlowNode for x | runtime | None | builtin-class NoneType |