Python: Bring back support for flow-summaries

Also needed to fix up `TestUtil/UnresolvedCalls.qll` after a bad merge
conflict resolution. Since all calls are now DataFlowCall, and not JUST
the ones that can be resolved, we need to put in the restriction that
the callable can also be resolved.

Author: RasmusWL

python/ql/lib/semmle/python/dataflow/new/internal/DataFlowDispatch.qll

@@ -36,12 +36,25 @@ private import python
 private import DataFlowPublic
 private import DataFlowPrivate
 private import FlowSummaryImpl as FlowSummaryImpl
+private import FlowSummaryImplSpecific as FlowSummaryImplSpecific
 
 newtype TParameterPosition =
   /** Used for `self` in methods, and `cls` in classmethods. */
   TSelfParameterPosition() or
-  TPositionalParameterPosition(int pos) { pos = any(Parameter p).getPosition() } or
-  TKeywordParameterPosition(string name) { name = any(Parameter p).getName() } or
+  TPositionalParameterPosition(int pos) {
+    pos = any(Parameter p).getPosition()
+    or
+    // since synthetic parameters are made for a synthetic summary callable, based on
+    // what Argument positions they have flow for, we need to make sure we have such
+    // parameter positions available.
+    FlowSummaryImplSpecific::ParsePositions::isParsedPositionalArgumentPosition(_, pos)
+  } or
+  TKeywordParameterPosition(string name) {
+    name = any(Parameter p).getName()
+    or
+    // see comment for TPositionalParameterPosition
+    FlowSummaryImplSpecific::ParsePositions::isParsedKeywordArgumentPosition(_, name)
+  } or
   TStarArgsParameterPosition(int pos) {
     // since `.getPosition` does not work for `*args`, we need *args parameter positions
     // at index 1 larger than the largest positional parameter position (and 0 must be
@@ -114,8 +127,20 @@ class ParameterPosition extends TParameterPosition {
 newtype TArgumentPosition =
   /** Used for `self` in methods, and `cls` in classmethods. */
   TSelfArgumentPosition() or
-  TPositionalArgumentPosition(int pos) { exists(any(CallNode c).getArg(pos)) } or
-  TKeywordArgumentPosition(string name) { exists(any(CallNode c).getArgByName(name)) } or
+  TPositionalArgumentPosition(int pos) {
+    exists(any(CallNode c).getArg(pos))
+    or
+    // since synthetic calls within a summarized callable could use a unique argument
+    // position, we need to ensure we make these available (these are specified as
+    // parameters in the flow-summary spec)
+    FlowSummaryImplSpecific::ParsePositions::isParsedPositionalParameterPosition(_, pos)
+  } or
+  TKeywordArgumentPosition(string name) {
+    exists(any(CallNode c).getArgByName(name))
+    or
+    // see comment for TPositionalArgumentPosition
+    FlowSummaryImplSpecific::ParsePositions::isParsedKeywordParameterPosition(_, name)
+  } or
   TStarArgsArgumentPosition(int pos) { exists(Call c | c.getPositionalArg(pos) instanceof Starred) } or
   TDictSplatArgumentPosition()
 
@@ -376,7 +401,7 @@ class LibraryCallableValue extends DataFlowCallable, TLibraryCallable {
 
   LibraryCallableValue() { this = TLibraryCallable(callable) }
 
-  override string toString() { result = callable.toString() }
+  override string toString() { result = "LibraryCallableValue: " + callable.toString() }
 
   override string getQualifiedName() { result = callable.toString() }
 
@@ -1038,7 +1063,8 @@ predicate resolveCall(ControlFlowNode call, Function target, CallType type) {
  * Holds if the argument of `call` at position `apos` is `arg`. This is just a helper
  * predicate that maps ArgumentPositions to the arguments of the underlying `CallNode`.
  */
-private predicate normalCallArg(CallNode call, Node arg, ArgumentPosition apos) {
+cached
+predicate normalCallArg(CallNode call, Node arg, ArgumentPosition apos) {
   exists(int index |
     apos.isPositional(index) and
     arg.asCfgNode() = call.getArg(index)
@@ -1170,8 +1196,8 @@ predicate getCallArg(
 // DataFlowCall
 // =============================================================================
 newtype TDataFlowCall =
-  TNormalCall(CallNode call, Function target, CallType type) { resolveCall(call, target, type) }
-  or
+  TNormalCall(CallNode call, Function target, CallType type) { resolveCall(call, target, type) } or
+  TPotentialLibraryCall(CallNode call) or
   /** A synthesized call inside a summarized callable */
   TSummaryCall(FlowSummaryImpl::Public::SummarizedCallable c, Node receiver) {
     FlowSummaryImpl::Private::summaryCallbackRange(c, receiver)
@@ -1253,49 +1279,44 @@ class NormalCall extends ExtractedDataFlowCall, TNormalCall {
 }
 
 /**
- * A call to a summarized callable, a `LibraryCallable`.
+ * A potential call to a summarized callable, a `LibraryCallable`.
  *
  * We currently exclude all resolved calls. This means that a call to, say, `map`, which
  * is a `ClassCall`, cannot currently be given a summary.
  * We hope to lift this restriction in the future and include all potential calls to summaries
  * in this class.
  */
-class LibraryCall extends DataFlowCall {
-  LibraryCall() {
-    // TODO(call-graph): implement this!
-    none()
-  }
+class PotentialLibraryCall extends ExtractedDataFlowCall, TPotentialLibraryCall {
+  CallNode call;
+
+  PotentialLibraryCall() { this = TPotentialLibraryCall(call) }
 
   override string toString() {
-    // TODO(call-graph): implement this!
-    none()
+    // note: if we used toString directly on the CallNode we would get
+    //     `ControlFlowNode for func()`
+    // but the `ControlFlowNode` part is just clutter, so we go directly to the AST node
+    // instead.
+    result = call.getNode().toString()
   }
 
-  // We cannot refer to a `LibraryCallable` here,
+  // We cannot refer to a `PotentialLibraryCall` here,
   // as that could in turn refer to type tracking.
-  // This call will be tied to a `LibraryCallable` via
-  // `getViableCallabe` when the global data flow is assembled.
+  // This call will be tied to a `PotentialLibraryCall` via
+  // `viableCallable` when the global data flow is assembled.
   override DataFlowCallable getCallable() { none() }
 
   override ArgumentNode getArgument(ArgumentPosition apos) {
-    // TODO(call-graph): implement this!
-    none()
-  }
-
-  override ControlFlowNode getNode() {
-    // TODO(call-graph): implement this!
-    none()
+    normalCallArg(call, result, apos)
+    or
+    // potential self argument, from `foo.bar()` -- note that this could also just be a
+    // module reference, but we really don't have a good way of knowing :|
+    apos.isSelf() and
+    result = any(MethodCallNode mc | mc.getFunction().asCfgNode() = call.getFunction()).getObject()
   }
 
-  override DataFlowCallable getEnclosingCallable() {
-    // TODO(call-graph): implement this!
-    none()
-  }
+  override ControlFlowNode getNode() { result = call }
 
-  override Location getLocation() {
-    // TODO(call-graph): implement this!
-    none()
-  }
+  override DataFlowCallable getEnclosingCallable() { result.getScope() = call.getScope() }
 }
 
 /**
@@ -1433,7 +1454,8 @@ DataFlowCallable viableCallable(ExtractedDataFlowCall call) {
   // Instead we resolve the call from the summary.
   exists(LibraryCallable callable |
     result = TLibraryCallable(callable) and
-    call.getNode() = callable.getACall().getNode()
+    call.getNode() = callable.getACall().getNode() and
+    call instanceof PotentialLibraryCall
   )
 }
 

python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPrivate.qll

@@ -981,18 +981,10 @@ class LambdaCallKind = Unit;
 
 /** Holds if `creation` is an expression that creates a lambda of kind `kind` for `c`. */
 predicate lambdaCreation(Node creation, LambdaCallKind kind, DataFlowCallable c) {
-  // TODO(call-graph): implement this!
-  //
-  // // lambda
-  // kind = kind and
-  // creation.asExpr() = c.(DataFlowLambda).getDefinition()
-  // or
-  // // normal function
-  // exists(FunctionDef def |
-  //   def.defines(creation.asVar().getSourceVariable()) and
-  //   def.getDefinedFunction() = c.(DataFlowCallableValue).getCallableValue().getScope()
-  // )
-  // or
+  // lambda and plain functions
+  kind = kind and
+  creation.asExpr() = c.(DataFlowPlainFunction).getScope().getDefinition()
+  or
   // summarized function
   exists(kind) and // avoid warning on unused 'kind'
   exists(Call call |

python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPublic.qll

@@ -337,11 +337,19 @@ abstract class ArgumentNode extends Node {
 }
 
 /**
- * A data flow node that represents a call argument found in the source code,
- * where the call can be resolved.
+ * A data flow node that represents a call argument found in the source code.
  */
 class ExtractedArgumentNode extends ArgumentNode {
-  ExtractedArgumentNode() { getCallArg(_, _, _, this, _) }
+  ExtractedArgumentNode() {
+    // for resolved calls, we need to allow all argument nodes
+    getCallArg(_, _, _, this, _)
+    or
+    // for potential summaries we allow all normal call arguments
+    normalCallArg(_, this, _)
+    or
+    // and self arguments
+    this = any(MethodCallNode mc).getObject()
+  }
 
   final override predicate argumentOf(DataFlowCall call, ArgumentPosition pos) {
     this = call.getArgument(pos) and

python/ql/lib/semmle/python/dataflow/new/internal/FlowSummaryImplSpecific.qll

@@ -115,10 +115,34 @@ string getComponentSpecificCsv(SummaryComponent sc) {
 }
 
 /** Gets the textual representation of a parameter position in the format used for flow summaries. */
-string getParameterPositionCsv(ParameterPosition pos) { result = pos.toString() }
+string getParameterPositionCsv(ParameterPosition pos) {
+  pos.isSelf() and result = "self"
+  or
+  exists(int i |
+    pos.isPositional(i) and
+    result = i.toString()
+  )
+  or
+  exists(string name |
+    pos.isKeyword(name) and
+    result = name + ":"
+  )
+}
 
 /** Gets the textual representation of an argument position in the format used for flow summaries. */
-string getArgumentPositionCsv(ArgumentPosition pos) { result = pos.toString() }
+string getArgumentPositionCsv(ArgumentPosition pos) {
+  pos.isSelf() and result = "self"
+  or
+  exists(int i |
+    pos.isPositional(i) and
+    result = i.toString()
+  )
+  or
+  exists(string name |
+    pos.isKeyword(name) and
+    result = name + ":"
+  )
+}
 
 /** Holds if input specification component `c` needs a reference. */
 predicate inputNeedsReferenceSpecific(string c) { none() }
@@ -200,33 +224,55 @@ module ParsePositions {
     )
   }
 
-  predicate isParsedParameterPosition(string c, int i) {
+  predicate isParsedPositionalParameterPosition(string c, int i) {
     isParamBody(c) and
     i = AccessPath::parseInt(c)
   }
 
-  predicate isParsedArgumentPosition(string c, int i) {
+  predicate isParsedKeywordParameterPosition(string c, string paramName) {
+    isParamBody(c) and
+    c = paramName + ":"
+  }
+
+  predicate isParsedPositionalArgumentPosition(string c, int i) {
     isArgBody(c) and
     i = AccessPath::parseInt(c)
   }
+
+  predicate isParsedKeywordArgumentPosition(string c, string argName) {
+    isArgBody(c) and
+    c = argName + ":"
+  }
 }
 
 /** Gets the argument position obtained by parsing `X` in `Parameter[X]`. */
 ArgumentPosition parseParamBody(string s) {
-  none()
-  // TODO(call-graph): implement this!
-  // exists(int i |
-  //   ParsePositions::isParsedParameterPosition(s, i) and
-  //   result.isPositional(i)
-  // )
+  exists(int i |
+    ParsePositions::isParsedPositionalParameterPosition(s, i) and
+    result.isPositional(i)
+  )
+  or
+  exists(string name |
+    ParsePositions::isParsedKeywordParameterPosition(s, name) and
+    result.isKeyword(name)
+  )
+  or
+  s = "self" and
+  result.isSelf()
 }
 
 /** Gets the parameter position obtained by parsing `X` in `Argument[X]`. */
 ParameterPosition parseArgBody(string s) {
-  none()
-  // TODO(call-graph): implement this!
-  // exists(int i |
-  //   ParsePositions::isParsedArgumentPosition(s, i) and
-  //   result.isPositional(i)
-  // )
+  exists(int i |
+    ParsePositions::isParsedPositionalArgumentPosition(s, i) and
+    result.isPositional(i)
+  )
+  or
+  exists(string name |
+    ParsePositions::isParsedKeywordArgumentPosition(s, name) and
+    result.isKeyword(name)
+  )
+  or
+  s = "self" and
+  result.isSelf()
 }

python/ql/test/experimental/dataflow/TestUtil/UnresolvedCalls.qll

@@ -12,7 +12,9 @@ class UnresolvedCallExpectations extends InlineExpectationsTest {
   override predicate hasActualResult(Location location, string element, string tag, string value) {
     exists(location.getFile().getRelativePath()) and
     exists(CallNode call |
-      not exists(DataFlowPrivate::DataFlowCall dfc | dfc.getNode() = call) and
+      not exists(DataFlowPrivate::DataFlowCall dfc |
+        exists(dfc.getCallable()) and dfc.getNode() = call
+      ) and
       not DataFlowPrivate::resolveClassCall(call, _) and
       not call = API::builtin(_).getACall().asCfgNode() and
       location = call.getLocation() and

python/ql/test/experimental/dataflow/basic/callGraphSinks.expected

@@ -1,3 +1,4 @@
+| file://:0:0:0:0 | parameter position 0 of builtins.reversed |
 | test.py:1:1:1:21 | SynthDictSplatParameterNode |
 | test.py:1:19:1:19 | ControlFlowNode for x |
 | test.py:7:5:7:20 | ControlFlowNode for obfuscated_id() |

python/ql/test/experimental/dataflow/basic/callGraphSources.expected

@@ -1,2 +1,3 @@
+| file://:0:0:0:0 | [summary] to write: return (return) in builtins.reversed |
 | test.py:4:10:4:10 | ControlFlowNode for z |
 | test.py:7:19:7:19 | ControlFlowNode for a |

python/ql/test/experimental/dataflow/basic/global.expected

@@ -1,3 +1,4 @@
+| file://:0:0:0:0 | [summary] read: argument position 0.List element in builtins.reversed | file://:0:0:0:0 | [summary] to write: return (return).List element in builtins.reversed |
 | test.py:1:1:1:21 | ControlFlowNode for FunctionExpr | test.py:1:5:1:17 | GSSA Variable obfuscated_id |
 | test.py:1:1:1:21 | ControlFlowNode for FunctionExpr | test.py:7:5:7:17 | ControlFlowNode for obfuscated_id |
 | test.py:1:5:1:17 | GSSA Variable obfuscated_id | test.py:7:5:7:17 | ControlFlowNode for obfuscated_id |

python/ql/test/experimental/dataflow/basic/globalStep.expected

@@ -1,3 +1,4 @@
+| file://:0:0:0:0 | [summary] read: argument position 0.List element in builtins.reversed | file://:0:0:0:0 | [summary] to write: return (return).List element in builtins.reversed |
 | test.py:1:1:1:21 | ControlFlowNode for FunctionExpr | test.py:1:5:1:17 | GSSA Variable obfuscated_id |
 | test.py:1:1:1:21 | ControlFlowNode for FunctionExpr | test.py:1:5:1:17 | GSSA Variable obfuscated_id |
 | test.py:1:1:1:21 | ControlFlowNode for FunctionExpr | test.py:7:5:7:17 | ControlFlowNode for obfuscated_id |

python/ql/test/experimental/dataflow/basic/local.expected

@@ -1,3 +1,8 @@
+| file://:0:0:0:0 | [summary] read: argument position 0.List element in builtins.reversed | file://:0:0:0:0 | [summary] read: argument position 0.List element in builtins.reversed |
+| file://:0:0:0:0 | [summary] read: argument position 0.List element in builtins.reversed | file://:0:0:0:0 | [summary] to write: return (return).List element in builtins.reversed |
+| file://:0:0:0:0 | [summary] to write: return (return) in builtins.reversed | file://:0:0:0:0 | [summary] to write: return (return) in builtins.reversed |
+| file://:0:0:0:0 | [summary] to write: return (return).List element in builtins.reversed | file://:0:0:0:0 | [summary] to write: return (return).List element in builtins.reversed |
+| file://:0:0:0:0 | parameter position 0 of builtins.reversed | file://:0:0:0:0 | parameter position 0 of builtins.reversed |
 | test.py:0:0:0:0 | GSSA Variable __name__ | test.py:0:0:0:0 | GSSA Variable __name__ |
 | test.py:0:0:0:0 | GSSA Variable __package__ | test.py:0:0:0:0 | GSSA Variable __package__ |
 | test.py:0:0:0:0 | GSSA Variable b | test.py:0:0:0:0 | GSSA Variable b |