Fix highlight locations for higher order function calls

arthaud · facebook-github-bot · commit 592ad6dee657 · 2021-08-09T20:23:55.000-07:00
Summary: As titled.

Reviewed By: dkgi

Differential Revision: D30205448

fbshipit-source-id: e6ae26aedcb49980226af173cea040e45c5f2f34
diff --git a/source/interprocedural_analyses/taint/backwardAnalysis.ml b/source/interprocedural_analyses/taint/backwardAnalysis.ml
@@ -590,7 +590,12 @@ module AnalysisInstance (FunctionContext : FUNCTION_CONTEXT) = struct
           ~higher_order_function
           ~callable_argument
         =
-        let lambda_index, { Call.Argument.value = lambda_callee; name = lambda_name } =
+        let ( lambda_index,
+              {
+                Call.Argument.value = { location = lambda_location; _ } as lambda_callee;
+                name = lambda_name;
+              } )
+          =
           lambda_argument
         in
         (* If we have a lambda `fn` getting passed into `hof`, we use the following strategy:
@@ -609,7 +614,7 @@ module AnalysisInstance (FunctionContext : FUNCTION_CONTEXT) = struct
             ( lambda_index,
               {
                 Call.Argument.value =
-                  Node.create_with_default_location (Expression.Name (Name.Identifier result));
+                  Node.create ~location:lambda_location (Expression.Name (Name.Identifier result));
                 name = lambda_name;
               } )
           in
@@ -643,7 +648,9 @@ module AnalysisInstance (FunctionContext : FUNCTION_CONTEXT) = struct
         (* Simulate if branch. *)
         let if_branch_state =
           (* Simulate $result = fn( all, all). *)
-          let all_argument = Node.create ~location (Expression.Name (Name.Identifier "$all")) in
+          let all_argument =
+            Node.create ~location:lambda_location (Expression.Name (Name.Identifier "$all"))
+          in
           let arguments_with_all_value =
             List.map non_lambda_arguments ~f:snd
             |> List.map ~f:(fun argument -> { argument with Call.Argument.value = all_argument })
diff --git a/source/interprocedural_analyses/taint/forwardAnalysis.ml b/source/interprocedural_analyses/taint/forwardAnalysis.ml
@@ -644,16 +644,25 @@ module AnalysisInstance (FunctionContext : FUNCTION_CONTEXT) = struct
          *   $result = fn
          * hof(q, fn, x, y)
          *)
-        let lambda_index, { Call.Argument.value = lambda_callee; name = lambda_name } =
+        let ( lambda_index,
+              {
+                Call.Argument.value = { location = lambda_location; _ } as lambda_callee;
+                name = lambda_name;
+              } )
+          =
           lambda_argument
         in
         let location = lambda_callee.Node.location in
-        let result = Node.create ~location (Expression.Name (Name.Identifier "$result")) in
+        let result =
+          Node.create ~location:lambda_location (Expression.Name (Name.Identifier "$result"))
+        in
 
         (* Simulate if branch. *)
         let if_branch_state =
           (* Simulate `$all = {q, x, y}`. *)
-          let all_argument = Node.create ~location (Expression.Name (Name.Identifier "$all")) in
+          let all_argument =
+            Node.create ~location:lambda_location (Expression.Name (Name.Identifier "$all"))
+          in
           let state =
             let all_assignee =
               Node.create
diff --git a/source/interprocedural_analyses/taint/test/integration/higher_order_functions.py b/source/interprocedural_analyses/taint/test/integration/higher_order_functions.py
@@ -78,3 +78,12 @@ def callable_class():
     c = Callable(_test_source())
     # Even if c is a callable, we should still propagate the taint on it.
     _test_sink(c)
+
+
+def sink_args(*args):
+    for arg in args:
+        _test_sink(arg)
+
+
+def test_location(x: int, y: Callable, z: int):
+    sink_args(x, y, z)
diff --git a/source/interprocedural_analyses/taint/test/integration/higher_order_functions.py.cg b/source/interprocedural_analyses/taint/test/integration/higher_order_functions.py.cg
@@ -11,9 +11,11 @@ higher_order_functions.has_tito (fun) -> []
 higher_order_functions.higher_order_function (fun) -> []
 higher_order_functions.higher_order_function_and_sink (fun) -> [_test_sink (fun)]
 higher_order_functions.higher_order_method (fun) -> [higher_order_functions.C::method_to_sink (method) higher_order_functions.higher_order_function (fun)]
+higher_order_functions.sink_args (fun) -> [_test_sink (fun) typing.Iterable::__iter__ (method) typing.Iterator::__next__ (method)]
 higher_order_functions.source_through_tito (fun) -> [_test_source (fun) higher_order_functions.apply (fun) higher_order_functions.has_tito (fun)]
 higher_order_functions.test_higher_order_function (fun) -> [_test_source (fun) higher_order_functions.goes_to_sink (fun) higher_order_functions.higher_order_function (fun)]
 higher_order_functions.test_higher_order_function_and_sink (fun) -> [_test_source (fun) higher_order_functions.goes_to_sink (fun) higher_order_functions.higher_order_function_and_sink (fun)]
 higher_order_functions.test_higher_order_method (fun) -> [_test_source (fun) higher_order_functions.higher_order_method (fun) object::__init__ (method) object::__new__ (method)]
 higher_order_functions.test_higher_order_method_self (fun) -> [_test_source (fun) higher_order_functions.C::self_to_sink (method) higher_order_functions.higher_order_function (fun)]
 higher_order_functions.test_higher_order_tito (fun) -> [higher_order_functions.has_tito (fun) higher_order_functions.higher_order_function (fun)]
+higher_order_functions.test_location (fun) -> [higher_order_functions.Callable::__call__ (method) higher_order_functions.sink_args (fun)]
diff --git a/source/interprocedural_analyses/taint/test/integration/higher_order_functions.py.models b/source/interprocedural_analyses/taint/test/integration/higher_order_functions.py.models
@@ -580,8 +580,8 @@
               "position": {
                 "filename": "higher_order_functions.py",
                 "line": 34,
-                "start": 4,
-                "end": 48
+                "start": 26,
+                "end": 42
               },
               "resolves_to": [ "higher_order_functions.C.method_to_sink" ],
               "port": "formal(arg)",
@@ -598,6 +598,29 @@
     ]
   }
 }
+{
+  "kind": "model",
+  "data": {
+    "callable": "higher_order_functions.sink_args",
+    "sinks": [
+      {
+        "port": "formal(*rest0)[*]",
+        "taint": [
+          {
+            "root": {
+              "filename": "higher_order_functions.py",
+              "line": 85,
+              "start": 19,
+              "end": 22
+            },
+            "leaves": [ { "kind": "Test", "name": "_test_sink" } ],
+            "features": [ { "always-via": "special_sink" } ]
+          }
+        ]
+      }
+    ]
+  }
+}
 {
   "kind": "model",
   "data": {
@@ -642,7 +665,7 @@
         "taint": [
           {
             "decl": null,
-            "tito": [ { "line": 56, "start": 11, "end": 45 } ],
+            "tito": [ { "line": 56, "start": 33, "end": 41 } ],
             "leaves": [ { "kind": "LocalReturn", "name": "", "depth": 0 } ],
             "features": [ { "via": "tito" }, { "always-via": "lambda" } ]
           }
@@ -651,3 +674,77 @@
     ]
   }
 }
+{
+  "kind": "model",
+  "data": {
+    "callable": "higher_order_functions.test_location",
+    "sinks": [
+      {
+        "port": "formal(z)",
+        "taint": [
+          {
+            "call": {
+              "position": {
+                "filename": "higher_order_functions.py",
+                "line": 89,
+                "start": 20,
+                "end": 21
+              },
+              "resolves_to": [ "higher_order_functions.sink_args" ],
+              "port": "formal(*rest0)[*]",
+              "length": 1
+            },
+            "leaves": [ { "kind": "Test", "name": "_test_sink" } ],
+            "features": [
+              { "always-type": "scalar" },
+              { "always-via": "special_sink" }
+            ]
+          }
+        ]
+      },
+      {
+        "port": "formal(y)",
+        "taint": [
+          {
+            "call": {
+              "position": {
+                "filename": "higher_order_functions.py",
+                "line": 89,
+                "start": 17,
+                "end": 18
+              },
+              "resolves_to": [ "higher_order_functions.sink_args" ],
+              "port": "formal(*rest0)[*]",
+              "length": 1
+            },
+            "leaves": [ { "kind": "Test", "name": "_test_sink" } ],
+            "features": [ { "always-via": "special_sink" } ]
+          }
+        ]
+      },
+      {
+        "port": "formal(x)",
+        "taint": [
+          {
+            "call": {
+              "position": {
+                "filename": "higher_order_functions.py",
+                "line": 89,
+                "start": 14,
+                "end": 15
+              },
+              "resolves_to": [ "higher_order_functions.sink_args" ],
+              "port": "formal(*rest0)[*]",
+              "length": 1
+            },
+            "leaves": [ { "kind": "Test", "name": "_test_sink" } ],
+            "features": [
+              { "always-type": "scalar" },
+              { "always-via": "special_sink" }
+            ]
+          }
+        ]
+      }
+    ]
+  }
+}
