Python: Use TUnknown instead of TUnknownInstance.

tausbn · tausbn · commit 2d8f3bb033d9 · 2020-03-16T11:34:54.000+01:00
diff --git a/python/ql/src/semmle/python/objects/Callables.qll b/python/ql/src/semmle/python/objects/Callables.qll
@@ -215,6 +215,10 @@ class BuiltinFunctionObjectInternal extends CallableObjectInternal, TBuiltinFunc
             cls = ObjectInternal::builtin("bool") and obj = ObjectInternal::bool(_)
         ) and
         origin = CfgOrigin::unknown()
+        or
+        this.returnTypeUnknown() and
+        obj = ObjectInternal::unknown() and
+        origin = CfgOrigin::unknown()
     }
 
     override ControlFlowNode getOrigin() {
@@ -231,27 +235,15 @@ class BuiltinFunctionObjectInternal extends CallableObjectInternal, TBuiltinFunc
 
     Builtin getReturnType() {
         exists(Builtin func |
-            func = this.getBuiltin() |
-            /* Enumerate the types of a few builtin functions, that the CPython analysis misses.
-            */
-            func = Builtin::builtin("hex") and result = Builtin::special("str")
-            or
-            func = Builtin::builtin("oct") and result = Builtin::special("str")
-            or
-            func = Builtin::builtin("intern") and result = Builtin::special("str")
-            or
-            func = Builtin::builtin("__import__") and result = Builtin::special("ModuleType")
-            or
-            /* Fix a few minor inaccuracies in the CPython analysis */ 
-            ext_rettype(func, result) and not (
-                func = Builtin::builtin("__import__")
-                or
-                func = Builtin::builtin("compile") and result = Builtin::special("NoneType")
-                or
-                func = Builtin::builtin("sum")
-                or
-                func = Builtin::builtin("filter")
-            )
+            func = this.getBuiltin() and
+            result = getBuiltinFunctionReturnType(func)
+        )
+    }
+
+    private predicate returnTypeUnknown() {
+        exists(Builtin func |
+            func = this.getBuiltin() and
+            not exists(getBuiltinFunctionReturnType(func))
         )
     }
 
@@ -294,6 +286,29 @@ class BuiltinFunctionObjectInternal extends CallableObjectInternal, TBuiltinFunc
 
 }
 
+private Builtin getBuiltinFunctionReturnType(Builtin func) {
+    /* Enumerate the types of a few builtin functions, that the CPython analysis misses. */
+    func = Builtin::builtin("hex") and result = Builtin::special("str")
+    or
+    func = Builtin::builtin("oct") and result = Builtin::special("str")
+    or
+    func = Builtin::builtin("intern") and result = Builtin::special("str")
+    or
+    func = Builtin::builtin("__import__") and result = Builtin::special("ModuleType")
+    or
+    /* Fix a few minor inaccuracies in the CPython analysis */
+    ext_rettype(func, result) and not (
+        func = Builtin::builtin("__import__")
+        or
+        func = Builtin::builtin("compile") and result = Builtin::special("NoneType")
+        or
+        func = Builtin::builtin("sum")
+        or
+        func = Builtin::builtin("filter")
+    )
+}
+
+
 /** Class representing methods of built-in classes (otherwise known as method-descriptors) such as `list.append`.
  */
 class BuiltinMethodObjectInternal extends CallableObjectInternal, TBuiltinMethodObject {
@@ -330,6 +345,10 @@ class BuiltinMethodObjectInternal extends CallableObjectInternal, TBuiltinMethod
             cls = ObjectInternal::builtin("bool") and obj = ObjectInternal::bool(_)
         ) and
         origin = CfgOrigin::unknown()
+        or
+        this.returnTypeUnknown() and
+        obj = ObjectInternal::unknown() and
+        origin = CfgOrigin::unknown()
     }
 
     Builtin getReturnType() {
@@ -338,14 +357,13 @@ class BuiltinMethodObjectInternal extends CallableObjectInternal, TBuiltinMethod
             func = this.getBuiltin() |
             ext_rettype(func, result)
         )
-        or
-        /* Otherwise, if no such record exists, use `object` as the return type. */
-        not exists(Builtin func |
-            // We cannot do `this.getBuiltin()` here, as that would introduce negative recursion.
-            // Instead, we appeal directly to the underlying IPA type.
-            this = TBuiltinMethodObject(func) and
-            ext_rettype(func, _))
-        and result = Builtin::builtin("object")
+    }
+
+    private predicate returnTypeUnknown() {
+        exists(Builtin func |
+            func = this.getBuiltin() |
+            not ext_rettype(func, _)
+        )
     }
 
     override ControlFlowNode getOrigin() {
