Merge pull request #1624 from markshannon/python-fix-pruning-for-constants

Python: Fix up pruning in QL to better handle constraints from constants.

Author: taus-semmle

python/ql/src/semmle/python/Exprs.qll

@@ -346,7 +346,6 @@ abstract class ImmutableLiteral extends Expr {
     abstract Object getLiteralObject();
 
     abstract boolean booleanValue();
-
 }
 
 /** A numerical constant expression, such as `7` or `4.2` */
@@ -422,7 +421,6 @@ class FloatLiteral extends Num {
         or
         this.getValue() != 0.0 and this.getValue() != -0.0 and result = true
     }
-
 }
 
 /** An imaginary numeric constant, such as `3j` */
@@ -474,6 +472,10 @@ class NegativeIntegerLiteral extends ImmutableLiteral, UnaryExpr {
         py_cobjectnames(result, "-" + this.getOperand().(IntegerLiteral).getN())
     }
 
+    int getValue() {
+        result = -this.getOperand().(IntegerLiteral).getValue()
+    }
+
 }
 
 /** A unicode string expression, such as `u"\u20ac"`. Note that unadorned string constants such as
@@ -802,7 +804,6 @@ class None extends NameConstant {
     override boolean booleanValue() {
         result = false
     }
-
 }
 
 /** An await expression such as `await coro`. */

python/ql/src/semmle/python/Pruning.qll

@@ -156,6 +156,12 @@ module Pruner {
     private import Comparisons
     private import SSA
 
+    private int intValue(ImmutableLiteral lit) {
+        result = lit.(IntegerLiteral).getValue()
+        or
+        result = lit.(NegativeIntegerLiteral).getValue()
+    }
+
     newtype TConstraint =
         TTruthy(boolean b) { b = true or b = false }
         or
@@ -164,7 +170,7 @@ module Pruner {
         TConstrainedByConstant(CompareOp op, int k) {
             int_test(_, _, op, k)
             or
-            exists(Assign a | a.getValue().(IntegerLiteral).getValue() = k) and op = eq()
+            exists(Assign a | intValue(a.getValue()) = k) and op = eq()
         }
 
     /** A constraint that may be applied to an SSA variable.
@@ -417,7 +423,7 @@ module Pruner {
         reachableEdge(_, bb)
     }
 
-    Constraint constraintFromTest(SsaVariable var, UnprunedCfgNode node) {
+    Constraint constraintFromExpr(SsaVariable var, UnprunedCfgNode node) {
         py_ssa_use(node, var) and result = TTruthy(true)
         or
         exists(boolean b |
@@ -429,7 +435,11 @@ module Pruner {
             result = TConstrainedByConstant(op, k)
         )
         or
-        result = constraintFromTest(var, node.(UnprunedNot).getOperand()).invert()
+        result = constraintFromExpr(var, node.(UnprunedNot).getOperand()).invert()
+    }
+
+    Constraint constraintFromTest(SsaVariable var, UnprunedCfgNode node) {
+        result = constraintFromExpr(var, node) and node.isBranch()
     }
 
     predicate none_test(UnprunedCompareNode test, SsaVariable var, boolean is) {
@@ -450,56 +460,46 @@ module Pruner {
             |
             op.forOp(cop) and
             py_ssa_use(left, var) and
-            right.getNode().(IntegerLiteral).getValue() = k
+            intValue(right.getNode()) = k
             or
             op.reverse().forOp(cop) and
             py_ssa_use(right, var) and
-            left.getNode().(IntegerLiteral).getValue() = k
+            intValue(left.getNode()) = k
         )
-        or
-        int_test(test.(UnprunedNot).getOperand(), var, op.invert(), k)
     }
 
-    predicate int_assignment(UnprunedCfgNode asgn, SsaVariable var, CompareOp op, int k) {
-        exists(Assign a |
-            a.getATarget() = asgn.getNode() and
-            py_ssa_use(asgn, var) and
-            k = a.getValue().(IntegerLiteral).getValue() and
-            op = eq()
-        )
-    }
-
-    predicate none_assignment(UnprunedCfgNode asgn, SsaVariable var) {
-        exists(Assign a |
-            a.getATarget() = asgn.getNode() and
-            py_ssa_use(asgn, var) and
-            a.getValue() instanceof None
+    private predicate constrainingValue(Expr e) {
+        exists(Assign a, UnprunedCfgNode asgn |
+            a.getValue() = e and a.getATarget() = asgn.getNode() and py_ssa_defn(_, asgn)
         )
+        or
+        exists(UnaryExpr n | constrainingValue(n) and n.getOp() instanceof Not and e = n.getOperand())
     }
 
-    boolean truthy_assignment(UnprunedCfgNode asgn, SsaVariable var) {
-        exists(Assign a |
-            a.getATarget() = asgn.getNode() and
-            py_ssa_use(asgn, var)
-            |
-            a.getValue() instanceof True and result = true
+    private Constraint constraintFromValue(Expr e) {
+        constrainingValue(e) and
+        (
+            result = TConstrainedByConstant(eq(), intValue(e))
+            or
+            e instanceof True and result = TTruthy(true)
+            or
+            e instanceof False and result = TTruthy(false)
+            or
+            e instanceof None and result = TIsNone(true)
             or
-            a.getValue() instanceof False and result = false
+            result = constraintFromValue(e.(UnaryExpr).getOperand()).invert()
         )
-        or
-        module_import(asgn, var) and result = true
     }
 
     /** Gets the constraint on `var` resulting from the assignment in `asgn` */
-    Constraint constraintFromAssignment(SsaVariable var, UnprunedBasicBlock asgn) {
-        exists(CompareOp op, int k |
-            int_assignment(asgn.getANode(), var, op, k) and
-            result = TConstrainedByConstant(op, k)
+    Constraint constraintFromAssignment(SsaVariable var, UnprunedCfgNode asgn) {
+        exists(Assign a |
+            a.getATarget() = asgn.getNode() and
+            py_ssa_defn(var, asgn) and
+            result = constraintFromValue(a.getValue())
         )
         or
-        none_assignment(asgn.getANode(), var) and result = TIsNone(true)
-        or
-        result = TTruthy(truthy_assignment(asgn.getANode(), var))
+        module_import(asgn, var) and result = TTruthy(true)
     }
 
     /** Holds if the constraint `preval` holds for `var` on edge `pred` -> `succ` as a result of a prior test or assignment */
@@ -518,7 +518,7 @@ module Pruner {
             first.(UnprunedConditionBlock).controlsEdge(pred, succ, false) and
             preval = constraintFromTest(var, first.last()).invert()
             or
-            preval = constraintFromAssignment(var, first) and
+            preval = constraintFromAssignment(var, first.getANode()) and
             first.dominates(pred) and
             (succ = pred.getAFalseSuccessor() or succ = pred.getATrueSuccessor())
         )

python/ql/test/library-tests/ControlFlow/pruning/Constraint.expected

@@ -1,114 +1,80 @@
-| 8 | test | test | Truthy |
-| 10 | test | test | Truthy |
-| 14 | seq | seq | Truthy |
-| 16 | seq | seq | Truthy |
-| 17 | seq | seq | Truthy |
-| 21 | UnaryExpr | t1 | Falsey |
-| 21 | t1 | t1 | Truthy |
-| 24 | t1 | t1 | Truthy |
-| 25 | t1 | t1 | Truthy |
-| 26 | t2 | t2 | Truthy |
-| 29 | t2 | t2 | Truthy |
-| 30 | t2 | t2 | Truthy |
-| 31 | t3 | t3 | Truthy |
-| 31 | t4 | t4 | Truthy |
-| 32 | t3 | t3 | Truthy |
-| 33 | t3 | t3 | Truthy |
-| 34 | t3 | t3 | Truthy |
-| 35 | t4 | t4 | Truthy |
-| 36 | t5 | t5 | Truthy |
-| 36 | t6 | t6 | Truthy |
-| 37 | t5 | t5 | Truthy |
-| 38 | t5 | t5 | Truthy |
-| 39 | t6 | t6 | Truthy |
-| 40 | t6 | t6 | Truthy |
-| 43 | t1 | t1 | Truthy |
-| 44 | UnaryExpr | t2 | Falsey |
-| 44 | t2 | t2 | Truthy |
-| 47 | t1 | t1 | Truthy |
-| 48 | t2 | t2 | Truthy |
-| 49 | t2 | t2 | Truthy |
-| 51 | t2 | t2 | Truthy |
-| 52 | t2 | t2 | Truthy |
-| 55 | seq1 | seq1 | Truthy |
-| 57 | UnaryExpr | seq2 | Falsey |
-| 57 | seq2 | seq2 | Truthy |
-| 60 | seq1 | seq1 | Truthy |
-| 62 | seq1 | seq1 | Truthy |
-| 63 | seq2 | seq2 | Truthy |
-| 65 | seq2 | seq2 | Truthy |
-| 66 | seq3 | seq3 | Truthy |
-| 68 | UnaryExpr | seq4 | Falsey |
-| 68 | seq4 | seq4 | Truthy |
-| 71 | seq3 | seq3 | Truthy |
-| 73 | var | var | Truthy |
-| 74 | seq4 | seq4 | Truthy |
-| 76 | var | var | Truthy |
-| 78 | seq5 | seq5 | Truthy |
-| 80 | seq5 | seq5 | Truthy |
-| 81 | seq5 | seq5 | Truthy |
-| 83 | var | var | Truthy |
-| 88 | UnaryExpr | x | Falsey |
-| 88 | x | x | Truthy |
-| 89 | Exception | Exception | Truthy |
-| 90 | y | y | Truthy |
-| 91 | Exception | Exception | Truthy |
-| 92 | make_a_call | make_a_call | Truthy |
-| 93 | UnaryExpr | x | Falsey |
-| 93 | x | x | Truthy |
-| 94 | count | count | Truthy |
-| 95 | y | y | Truthy |
-| 96 | count | count | Truthy |
-| 101 | make_a_call | make_a_call | Truthy |
-| 102 | UnaryExpr | another_module | Falsey |
-| 102 | another_module | another_module | Truthy |
-| 103 | count | count | Truthy |
-| 107 | UnaryExpr | t1 | Falsey |
-| 107 | t1 | t1 | Truthy |
-| 109 | t2 | t2 | Truthy |
-| 111 | t1 | t1 | Truthy |
-| 113 | UnaryExpr | t2 | Falsey |
-| 113 | t2 | t2 | Truthy |
-| 117 | UnaryExpr | test | Falsey |
-| 117 | test | test | Truthy |
-| 119 | UnaryExpr | test | Falsey |
-| 119 | test | test | Truthy |
-| 123 | m | m | Truthy |
-| 125 | m | m | Truthy |
-| 126 | m | m | Truthy |
-| 158 | Compare | ps | Is not None |
-| 158 | ps | ps | Truthy |
-| 159 | ps | ps | Truthy |
-| 160 | Compare | ps | Is None |
-| 160 | ps | ps | Truthy |
-| 171 | __name__ | __name__ | Truthy |
-| 172 | None | None | Truthy |
-| 174 | func | func | Truthy |
-| 175 | Exception | Exception | Truthy |
-| 176 | count | count | Truthy |
-| 177 | Compare | escapes | Is None |
-| 177 | None | None | Truthy |
-| 177 | escapes | escapes | Truthy |
-| 178 | count | count | Truthy |
-| 180 | count | count | Truthy |
-| 188 | true12 | true12 | Truthy |
-| 195 | Compare | x | < 4 |
-| 195 | x | x | Truthy |
-| 197 | Compare | x | < 4 |
-| 197 | x | x | Truthy |
-| 201 | Compare | x | < 4 |
-| 201 | x | x | Truthy |
-| 203 | Compare | x | >= 4 |
-| 203 | UnaryExpr | x | < 4 |
-| 203 | x | x | Truthy |
-| 207 | Compare | x | < 4 |
-| 207 | x | x | Truthy |
-| 209 | Compare | x | < 4 |
-| 209 | x | x | Truthy |
-| 214 | None | None | Truthy |
-| 215 | x | x | Truthy |
-| 215 | y | y | Truthy |
-| 217 | x | x | Truthy |
-| 217 | y | y | Truthy |
-| 219 | x | x | Truthy |
-| 223 | y | y | Truthy |
+| 8 | test | test | Truthy | test |
+| 10 | test | test | Truthy | test |
+| 14 | seq | seq | Truthy | test |
+| 17 | seq | seq | Truthy | test |
+| 21 | UnaryExpr | t1 | Falsey | test |
+| 24 | t1 | t1 | Truthy | test |
+| 25 | t1 | t1 | Truthy | test |
+| 26 | t2 | t2 | Truthy | test |
+| 29 | t2 | t2 | Truthy | test |
+| 30 | t2 | t2 | Truthy | test |
+| 31 | t3 | t3 | Truthy | test |
+| 31 | t4 | t4 | Truthy | test |
+| 32 | t3 | t3 | Truthy | test |
+| 33 | t3 | t3 | Truthy | test |
+| 34 | t3 | t3 | Truthy | test |
+| 35 | t4 | t4 | Truthy | test |
+| 36 | t5 | t5 | Truthy | test |
+| 36 | t6 | t6 | Truthy | test |
+| 37 | t5 | t5 | Truthy | test |
+| 38 | t5 | t5 | Truthy | test |
+| 39 | t6 | t6 | Truthy | test |
+| 40 | t6 | t6 | Truthy | test |
+| 43 | t1 | t1 | Truthy | test |
+| 44 | UnaryExpr | t2 | Falsey | test |
+| 47 | t1 | t1 | Truthy | test |
+| 48 | t2 | t2 | Truthy | test |
+| 49 | t2 | t2 | Truthy | test |
+| 51 | t2 | t2 | Truthy | test |
+| 52 | t2 | t2 | Truthy | test |
+| 55 | seq1 | seq1 | Truthy | test |
+| 57 | UnaryExpr | seq2 | Falsey | test |
+| 60 | seq1 | seq1 | Truthy | test |
+| 63 | seq2 | seq2 | Truthy | test |
+| 66 | seq3 | seq3 | Truthy | test |
+| 68 | UnaryExpr | seq4 | Falsey | test |
+| 78 | seq5 | seq5 | Truthy | test |
+| 88 | UnaryExpr | x | Falsey | test |
+| 90 | y | y | Truthy | test |
+| 93 | UnaryExpr | x | Falsey | test |
+| 95 | y | y | Truthy | test |
+| 99 | another_module | another_module | Truthy | assign |
+| 102 | UnaryExpr | another_module | Falsey | test |
+| 107 | UnaryExpr | t1 | Falsey | test |
+| 109 | t2 | t2 | Truthy | test |
+| 111 | t1 | t1 | Truthy | test |
+| 113 | UnaryExpr | t2 | Falsey | test |
+| 117 | UnaryExpr | test | Falsey | test |
+| 119 | UnaryExpr | test | Falsey | test |
+| 123 | m | m | Truthy | test |
+| 126 | m | m | Truthy | test |
+| 158 | Compare | ps | Is not None | test |
+| 160 | Compare | ps | Is None | test |
+| 172 | escapes | escapes | Is None | assign |
+| 177 | Compare | escapes | Is None | test |
+| 191 | true12 | true12 | == 0 | assign |
+| 195 | Compare | x | < 4 | test |
+| 197 | Compare | x | < 4 | test |
+| 201 | Compare | x | < 4 | test |
+| 203 | UnaryExpr | x | < 4 | test |
+| 207 | Compare | x | < 4 | test |
+| 209 | Compare | x | < 4 | test |
+| 215 | x | x | Truthy | test |
+| 215 | y | y | Truthy | test |
+| 217 | x | x | Truthy | test |
+| 217 | y | y | Truthy | test |
+| 219 | x | x | Truthy | test |
+| 223 | y | y | Truthy | test |
+| 229 | k | k | Falsey | assign |
+| 230 | k | k | Truthy | test |
+| 237 | k | k | == 3 | assign |
+| 238 | k | k | Truthy | test |
+| 245 | k | k | Is None | assign |
+| 246 | k | k | Truthy | test |
+| 253 | a | a | Truthy | test |
+| 254 | k | k | Truthy | assign |
+| 256 | k | k | Falsey | assign |
+| 257 | k | k | Truthy | test |
+| 264 | var | var | Truthy | assign |
+| 266 | var | var | Falsey | assign |
+| 267 | var | var | Truthy | test |

python/ql/test/library-tests/ControlFlow/pruning/Constraint.ql

@@ -3,8 +3,12 @@ import python
 
 import semmle.python.Pruning
 
-from Pruner::Constraint c, SsaVariable var, Pruner::UnprunedCfgNode node, int line
-where c = Pruner::constraintFromTest(var, node) and line = node.getNode().getLocation().getStartLine() and
-line > 0
-select line, node.getNode().toString(), var.getId(), c
+from Pruner::Constraint c, SsaVariable var, Pruner::UnprunedCfgNode node, int line, string kind
+where line = node.getNode().getLocation().getStartLine() and line > 0 and
+(
+    c = Pruner::constraintFromTest(var, node) and kind = "test"
+    or
+    c = Pruner::constraintFromAssignment(var, node) and kind = "assign"
+)
+select line, node.getNode().toString(), var.getId(), c, kind
 

python/ql/test/library-tests/ControlFlow/pruning/ContradictoryEdge.expected

@@ -31,3 +31,10 @@
 | 219 | x | 222 | count |
 | 223 | y | 224 | count |
 | 223 | y | 226 | count |
+| 230 | k | 231 | count |
+| 238 | k | 241 | count |
+| 246 | k | 247 | count |
+| 257 | k | 258 | count |
+| 257 | k | 259 | Pass |
+| 267 | var | 268 | count |
+| 267 | var | 269 | Pass |