Python: Dataflow, Test that pointsTo implies data flow#4174
Python: Dataflow, Test that pointsTo implies data flow#4174yoff merged 9 commits intogithub:mainfrom
pointsTo implies data flow#4174Conversation
Running the test on a larger database gives some interesting results.
There was a problem hiding this comment.
Does this mean we currently are not able to track functions with dataflow?
Maybe we can add a test-case along these lines?
def foo():
return "foo"
def bar():
return "bar"
if cond:
f = foo
else:
f = bar
f() # what can flow to `f`?wait a minute, following the existing test setup, that is just
if cond
f = source
else:
f = non_source
SINK(f())
|
I guess the question is if we actually want a data flow edge from the function expression to the name, or if we are satisfied with the ability to look up the function expression whenever the name is used as a call. In the latter case, we can exclude function expressions from |
tausbn
left a comment
tausbn
left a comment
There was a problem hiding this comment.
A few comments, but otherwise this looks good.
Before deciding what to do with the missing flow (whether to ignore it or add it), do we know what the situation is for global variables? (After all, a function definition is just a glorified assignment to a variable.)
I would be curious to see if we're also missing flow in that case.
Whatever makes us handle the above example and stuff like the following correctly 😄 def foo():
return "foo"
f = foo
def foo():
return "refined"
SINK(f()) |
|
I've approved this (perhaps prematurely), but I would still like to see what happens in the global variable case (and rasmuswl's cases) before we move on to other things. |
RasmusWL
left a comment
RasmusWL
left a comment
There was a problem hiding this comment.
not to worry, I'll put in a request changes PR review, until tests cases have been added 😉
| origin = pointer.pointsTo().getOrigin() | ||
| } | ||
|
|
||
| class PointsToConfiguration extends DataFlow::Configuration { |
There was a problem hiding this comment.
Maybe add a short comment somewhere that describes what this "query" does?
|
@tausbn had the nice suggestion of [adding or putting this next to] the old |
|
I believe putting it, say, here should do the trick. This contains the bulk of the points-to-testing code. |
|
Ah, yes, that looks great. Thanks :-) |
|
A bunch of results. The three big groups are |
|
For |
|
Aha, so maybe this would go away if we did away with the |
|
@yoff I don't quite remember all the context for this PR, but did you add the test cases from my comments yet? 😊 |
Yes, I believe so. |
No, which is why I did not request your review yet. That is my next move, though :-) |
As it stands, this does not compile, so I moved the redefinition into a function. |
python/ql/test/library-tests/PointsTo/new/code/w_function_values.py
Outdated
Show resolved
Hide resolved
…es.py Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
RasmusWL
left a comment
RasmusWL
left a comment
There was a problem hiding this comment.
This is a good test to have in it's current state.
I think it could be valuable to solve the missing data-flow for self, so we can run this on real snapshots to explore new cases that we are not handling.
I'm leaving the approving review without merging, so it can be your call whether you want to do this as part of this PR, or later 😊
4 participants
Running the test on a larger database gives some interesting results. While writing it, I ran it on the coverage test database and got some surprising hits. For instance, it looked like a parameter called
clsdid not flow into the function body.