Python: Introduce points-to cached stage

With points-to not being used for the call-graph any longer, it's time
to split them.

Author: RasmusWL

python/ql/lib/semmle/python/Flow.qll

@@ -125,7 +125,7 @@ class ControlFlowNode extends @py_flow_node {
   /** Gets a textual representation of this element. */
   cached
   string toString() {
-    Stages::DataFlow::ref() and
+    Stages::PointsTo::ref() and
     exists(Scope s | s.getEntryNode() = this | result = "Entry node for " + s.toString())
     or
     exists(Scope s | s.getANormalExit() = this | result = "Exit node for " + s.toString())

python/ql/lib/semmle/python/internal/CachedStages.qll

@@ -126,26 +126,24 @@ module Stages {
   }
 
   /**
-   * The `dataflow` stage.
+   * The points-to stage.
    */
   cached
-  module DataFlow {
+  module PointsTo {
     /**
      * Always holds.
-     * Ensures that a predicate is evaluated as part of the DataFlow stage.
+     * Ensures that a predicate is evaluated as part of the points-to stage.
      */
     cached
     predicate ref() { 1 = 1 }
 
-    private import semmle.python.dataflow.new.internal.DataFlowPublic as DataFlowPublic
-    private import semmle.python.dataflow.new.internal.LocalSources as LocalSources
-    private import semmle.python.internal.Awaited as Awaited
     private import semmle.python.pointsto.Base as PointsToBase
     private import semmle.python.types.Object as TypeObject
     private import semmle.python.objects.TObject as TObject
     private import semmle.python.Flow as Flow
     private import semmle.python.objects.ObjectInternal as ObjectInternal
-    private import semmle.python.pointsto.PointsTo as PointsTo
+    // have to alias since this module is also called PointsTo
+    private import semmle.python.pointsto.PointsTo as RealPointsTo
 
     /**
      * DONT USE!
@@ -155,14 +153,6 @@ module Stages {
     predicate backref() {
       1 = 1
       or
-      exists(any(DataFlowPublic::Node node).toString())
-      or
-      any(DataFlowPublic::Node node).hasLocationInfo(_, _, _, _, _)
-      or
-      any(LocalSources::LocalSourceNode n).flowsTo(_)
-      or
-      exists(Awaited::awaited(_))
-      or
       PointsToBase::BaseFlow::scope_entry_value_transfer_from_earlier(_, _, _, _)
       or
       exists(TypeObject::Object a)
@@ -173,7 +163,41 @@ module Stages {
       or
       exists(any(ObjectInternal::ObjectInternal o).toString())
       or
-      PointsTo::AttributePointsTo::variableAttributePointsTo(_, _, _, _, _)
+      RealPointsTo::AttributePointsTo::variableAttributePointsTo(_, _, _, _, _)
+    }
+  }
+
+  /**
+   * The `dataflow` stage.
+   */
+  cached
+  module DataFlow {
+    /**
+     * Always holds.
+     * Ensures that a predicate is evaluated as part of the DataFlow stage.
+     */
+    cached
+    predicate ref() { 1 = 1 }
+
+    private import semmle.python.dataflow.new.internal.DataFlowPublic as DataFlowPublic
+    private import semmle.python.dataflow.new.internal.LocalSources as LocalSources
+    private import semmle.python.internal.Awaited as Awaited
+
+    /**
+     * DONT USE!
+     * Contains references to each predicate that use the above `ref` predicate.
+     */
+    cached
+    predicate backref() {
+      1 = 1
+      or
+      exists(any(DataFlowPublic::Node node).toString())
+      or
+      any(DataFlowPublic::Node node).hasLocationInfo(_, _, _, _, _)
+      or
+      any(LocalSources::LocalSourceNode n).flowsTo(_)
+      or
+      exists(Awaited::awaited(_))
     }
   }
 }

python/ql/lib/semmle/python/objects/ObjectInternal.qll

@@ -216,7 +216,7 @@ class BuiltinOpaqueObjectInternal extends ObjectInternal, TBuiltinOpaqueObject {
   override Builtin getBuiltin() { this = TBuiltinOpaqueObject(result) }
 
   override string toString() {
-    Stages::DataFlow::ref() and
+    Stages::PointsTo::ref() and
     result = this.getBuiltin().getClass().getName() + " object"
   }
 

python/ql/lib/semmle/python/pointsto/Base.qll

@@ -318,7 +318,7 @@ module BaseFlow {
   predicate scope_entry_value_transfer_from_earlier(
     EssaVariable pred_var, Scope pred_scope, ScopeEntryDefinition succ_def, Scope succ_scope
   ) {
-    Stages::DataFlow::ref() and
+    Stages::PointsTo::ref() and
     exists(SsaSourceVariable var |
       essa_var_scope(var, pred_scope, pred_var) and
       scope_entry_def_scope(var, succ_scope, succ_def)

python/ql/lib/semmle/python/pointsto/PointsTo.qll

@@ -2569,7 +2569,7 @@ module AttributePointsTo {
   predicate variableAttributePointsTo(
     EssaVariable var, Context context, string name, ObjectInternal value, CfgOrigin origin
   ) {
-    Stages::DataFlow::ref() and
+    Stages::PointsTo::ref() and
     definitionAttributePointsTo(var.getDefinition(), context, name, value, origin)
     or
     exists(EssaVariable prev |

python/ql/lib/semmle/python/types/Object.qll

@@ -5,7 +5,7 @@ private import semmle.python.internal.CachedStages
 
 cached
 private predicate is_an_object(@py_object obj) {
-  Stages::DataFlow::ref() and
+  Stages::PointsTo::ref() and
   /* CFG nodes for numeric literals, all of which have a @py_cobject for the value of that literal */
   obj instanceof ControlFlowNode and
   not obj.(ControlFlowNode).getNode() instanceof IntegerLiteral and
@@ -78,7 +78,7 @@ class Object extends @py_object {
   predicate hasLocationInfo(
     string filepath, int startline, int startcolumn, int endline, int endcolumn
   ) {
-    Stages::DataFlow::ref() and
+    Stages::PointsTo::ref() and
     this.hasOrigin() and
     this.getOrigin()
         .getLocation()
@@ -98,7 +98,7 @@ class Object extends @py_object {
   /** Gets a textual representation of this element. */
   cached
   string toString() {
-    Stages::DataFlow::ref() and
+    Stages::PointsTo::ref() and
     not this = undefinedVariable() and
     not this = unknownValue() and
     exists(ClassObject type | type.asBuiltin() = this.asBuiltin().getClass() |