Merge pull request github#5679 from tausbn/python-fix-bad-points-to-joins

yoff · web-flow · commit ef0ea247c40d · 2021-04-20T21:19:32.000+02:00
Python: Fix bad points-to joins
diff --git a/python/ql/src/semmle/python/pointsto/PointsTo.qll b/python/ql/src/semmle/python/pointsto/PointsTo.qll
@@ -1853,8 +1853,10 @@ module Expressions {
   private boolean isinstanceEvaluatesTo(
     CallNode call, PointsToContext context, ControlFlowNode use, ObjectInternal val
   ) {
-    exists(ObjectInternal cls | isinstance_call(call, use, context, val, cls) |
-      result = Types::improperSubclass(val.getClass(), cls)
+    exists(ObjectInternal cls, ObjectInternal val_cls |
+      isinstance_call(call, use, context, val, val_cls, cls)
+    |
+      result = Types::improperSubclass(val_cls, cls)
       or
       val = ObjectInternal::unknown() and result = maybe()
       or
@@ -1866,12 +1868,13 @@ module Expressions {
 
   private predicate isinstance_call(
     CallNode call, ControlFlowNode use, PointsToContext context, ObjectInternal val,
-    ObjectInternal cls
+    ObjectInternal val_cls, ObjectInternal cls
   ) {
     exists(ControlFlowNode func, ControlFlowNode arg1 |
       call2(call, func, use, arg1) and
       points_to_isinstance(func, context) and
       PointsToInternal::pointsTo(use, context, val, _) and
+      val_cls = val.getClass() and
       PointsToInternal::pointsTo(arg1, context, cls, _)
     )
   }
@@ -1993,10 +1996,7 @@ module Expressions {
     exists(ObjectInternal sup_or_tuple |
       issubclass_call(_, _, _, sub, sup_or_tuple) and sub.isClass() = true
       or
-      exists(ObjectInternal val |
-        isinstance_call(_, _, _, val, sup_or_tuple) and
-        sub = val.getClass()
-      )
+      exists(ObjectInternal val | isinstance_call(_, _, _, val, sub, sup_or_tuple))
     |
       sup = sup_or_tuple
       or
diff --git a/python/ql/src/semmle/python/pointsto/PointsToContext.qll b/python/ql/src/semmle/python/pointsto/PointsToContext.qll
@@ -100,10 +100,14 @@ private int total_call_cost(CallNode call) {
   if call_to_init_or_del(call) then result = 1 else result = call_cost(call) + splay_cost(call)
 }
 
+pragma[nomagic]
+private int relevant_call_cost(PointsToContext ctx, CallNode call) {
+  ctx.appliesTo(call) and result = total_call_cost(call)
+}
+
 pragma[noinline]
 private int total_cost(CallNode call, PointsToContext ctx) {
-  ctx.appliesTo(call) and
-  result = total_call_cost(call) + context_cost(ctx)
+  result = relevant_call_cost(ctx, call) + context_cost(ctx)
 }
 
 cached
