Python: Add dataflow consistency query #8457
Conversation
|
AHA, a few inconsistencies uncovered 🕵️ @yoff maybe we can work together on fixing these? |
RasmusWL
force-pushed
the
add-dataflow-consistency-query
branch
from
30681b2 to
66cf8cb
Compare
|
Interesting. There are a few instances of |
RasmusWL
force-pushed
the
add-dataflow-consistency-query
branch
2 times, most recently
from
129bc13 to
16659f8
Compare
|
It seems we have very few failure modes:
I wonder what is going on here? We should not have semantic changes, should we? Is this to do with the missing file? |
Ah, so updating should fix it. |
RasmusWL
force-pushed
the
add-dataflow-consistency-query
branch
from
16659f8 to
80d67d0
Compare
RasmusWL
force-pushed
the
add-dataflow-consistency-query
branch
from
80d67d0 to
2b438cf
Compare
|
woops, git merge did things to C++ which was certainly not intended |
RasmusWL
force-pushed
the
add-dataflow-consistency-query
branch
from
2b438cf to
2ec1822
Compare
| } | ||
|
|
||
| predicate multipleArgumentCallExclude(ArgumentNode arg, DataFlowCall call) { | ||
| isArgumentNode(arg, call, _) |
There was a problem hiding this comment.
Could this be strengthened, to make it clear where you expect multiple arguments?
There was a problem hiding this comment.
Argh, that made it too strict. For the one case I have debugged so far:
In the code super(Base, self).foo() we use self as an argument in both the super() call (pos 1) and in the .foo() call (pos self). Will look into fixing that tomorrow
| predicate argHasPostUpdateExclude(ArgumentNode n) { | ||
| exists(ArgumentPosition apos | n.argumentOf(_, apos) and apos.isStarArgs(_)) | ||
| or | ||
| exists(ArgumentPosition apos | n.argumentOf(_, apos) and apos.isDictSplat()) |
There was a problem hiding this comment.
We have a similar exclusion in Ruby for implicit hash-splats, but this is only because we haven't yet implemented proper support. Is it the same for Python? I.e., in Ruby we do not currently handle
def foo(**args)
args[:p].setField taint
end
foo(p: x)
sink(x.getField)There was a problem hiding this comment.
Yes, the assertion in the following code holds. This was not really something I've thought too much about though, since it's not something I've ever seen in real code -- but I agree that it could happen 👍
def set_foo(**args):
args["p"].foo = 42
class MyClass: pass
c = MyClass()
set_foo(p=c)
assert c.foo == 42There was a problem hiding this comment.
same goes for *args parameter
There was a problem hiding this comment.
I have documented the missing flow for Ruby here: #14859.
yoff
left a comment
yoff
left a comment
There was a problem hiding this comment.
Thanks for the great comments spelling out the different situations. I have added some suggestions around aligning the code a bit more with the comments.
| exists(DataFlowCall getAttrCall, DataFlowCall methodCall, AttrRead attr | | ||
| call in [getAttrCall, methodCall] | ||
| | | ||
| arg = getAttrCall.getArgument(any(ArgumentPosition p | p.isPositional(0))) and | ||
| arg = methodCall.getArgument(any(ArgumentPosition p | p.isSelf())) and | ||
| attr.getObject() = arg and | ||
| attr.(CfgNode).getNode() = getAttrCall.getNode() | ||
| ) |
There was a problem hiding this comment.
Could we use GetAttrCallNode here for getAttrCall? Then we would be a bit more sure that this is the method being called, and arg = getAttrCall.getObject() would also cover the object= case.
There was a problem hiding this comment.
it's private, so we can't without making it public:
I also don't see how this would improve things. attr.(CfgNode).getNode() = getAttrCall.getNode() makes sure that the AttrRead and the DataFlowCall shares the underlying CFG node... isn't that enough?
There was a problem hiding this comment.
I also don't see how this would improve things. attr.(CfgNode).getNode() = getAttrCall.getNode() makes sure that the AttrRead and the DataFlowCall shares the underlying CFG node... isn't that enough?
It probably is, but the argument is by casing on the implemented AttrReads and their shape. it might be nicer to ensure directly that getAttrCall is a call to the Python function getattr.
I will not push hard for this, though, the tests will probably make noise if it becomes a problem..
| // In the code `super(Base, self).foo()` we use `self` as an argument in both the | ||
| // super() call (pos 1) and in the .foo() call (pos self). | ||
| exists(DataFlowCall superCall, DataFlowCall methodCall | call in [superCall, methodCall] | | ||
| exists(superCallTwoArgumentTracker(_, arg)) and |
There was a problem hiding this comment.
Is this all our evidence that superCall is a call to super? Could we have something like superCall.getNode() = superCallTwoArgumentTracker(_, arg) instead or does that not eliminate all these inconsistencies?
There was a problem hiding this comment.
yes. if you look at the implementation of superCallTwoArgumentTracker, it's actually that arg is the "object" argument in the super() call.
There was a problem hiding this comment.
Indeed, and the result is something that the call flows to. That is why I suggested as I did. At the moment, we just know that arg is an argument to a call to super and that it is also arg 1 to superCall (and arg self to methodCall). Presumably it could also be an argument to many other things (and the call to super could be different from superCall), that is what we are testing after all..
| // in the code `def func(self): super().foo(); super.bar()` we use `self` as the | ||
| // (pos self) argument in both .foo() and .bar() calls. | ||
| exists(Function f | | ||
| exprNode(f.getArg(0)) = arg and | ||
| call.getNode().getScope() = f and | ||
| arg = call.getArgument(any(ArgumentPosition p | p.isSelf())) | ||
| ) |
There was a problem hiding this comment.
I would think you want an other in this logic as well? Otherwise you may be hiding other problems?
| private import Public | ||
|
|
||
| predicate argHasPostUpdateExclude(ArgumentNode n) { | ||
| exists(ArgumentPosition apos | n.argumentOf(_, apos) and apos.isStarArgs(_)) |
There was a problem hiding this comment.
Should we have a comments saying "TODO: make this unnecessary"?
| predicate argHasPostUpdateExclude(ArgumentNode n) { | ||
| exists(ArgumentPosition apos | n.argumentOf(_, apos) and apos.isStarArgs(_)) | ||
| or | ||
| exists(ArgumentPosition apos | n.argumentOf(_, apos) and apos.isDictSplat()) |
There was a problem hiding this comment.
Should we have a comments saying "TODO: make this unnecessary"?
yoff
left a comment
yoff
left a comment
There was a problem hiding this comment.
I still think that we could be a bit more robust, but I am not sure it is terribly important, and getting this in will be great, so I am approving now.
We forgot to delete that file in github#8457
3 participants
As a real consistency query, so it will be run as part of ALL tests. (which might make CI take longer, but the value is nice I think)
I've made a dummy consistency query in #8458 to convince reviewers that these consistency queries are actually run 😊