Python: Remove points-to from Expr

Author: tausbn

python/ql/examples/snippets/builtin_object.ql

@@ -8,7 +8,8 @@
  */
 
 import python
+private import LegacyPointsTo
 
-from Expr e, string name
+from ExprWithPointsTo e, string name
 where e.pointsTo(Value::named(name)) and not name.charAt(_) = "."
 select e

python/ql/examples/snippets/catch_exception.ql

@@ -8,9 +8,10 @@
  */
 
 import python
+private import LegacyPointsTo
 
 from ExceptStmt ex, ClassValue cls
 where
   cls.getName() = "MyExceptionClass" and
-  ex.getType().pointsTo(cls)
+  ex.getType().(ExprWithPointsTo).pointsTo(cls)
 select ex

python/ql/examples/snippets/conditional_expression.ql

@@ -9,10 +9,11 @@
  */
 
 import python
+private import LegacyPointsTo
 
 from IfExp e, ClassObject cls1, ClassObject cls2
 where
-  e.getBody().refersTo(_, cls1, _) and
-  e.getOrelse().refersTo(_, cls2, _) and
+  e.getBody().(ExprWithPointsTo).refersTo(_, cls1, _) and
+  e.getOrelse().(ExprWithPointsTo).refersTo(_, cls2, _) and
   cls1 != cls2
 select e

python/ql/examples/snippets/new_instance.ql

@@ -8,9 +8,10 @@
  */
 
 import python
+private import LegacyPointsTo
 
 from Call new, ClassValue cls
 where
   cls.getName() = "MyClass" and
-  new.getFunc().pointsTo(cls)
+  new.getFunc().(ExprWithPointsTo).pointsTo(cls)
 select new

python/ql/examples/snippets/print.ql

@@ -6,12 +6,13 @@
  */
 
 import python
+private import LegacyPointsTo
 
 from AstNode print
 where
   /* Python 2 without `from __future__ import print_function` */
   print instanceof Print
   or
   /* Python 3 or with `from __future__ import print_function` */
-  print.(Call).getFunc().pointsTo(Value::named("print"))
+  print.(Call).getFunc().(ExprWithPointsTo).pointsTo(Value::named("print"))
 select print

python/ql/examples/snippets/raise_exception.ql

@@ -8,9 +8,10 @@
  */
 
 import python
+private import LegacyPointsTo
 
 from Raise raise, ClassValue ex
 where
   ex.getName() = "AnException" and
-  raise.getException().pointsTo(ex.getASuperType())
+  raise.getException().(ExprWithPointsTo).pointsTo(ex.getASuperType())
 select raise, "Don't raise instances of 'AnException'"

python/ql/lib/LegacyPointsTo.qll

@@ -119,3 +119,73 @@ private predicate varHasCompletePointsToSet(SsaVariable var) {
     )
   )
 }
+
+/**
+ * An extension of `Expr` that provides points-to predicates.
+ */
+class ExprWithPointsTo extends Expr {
+  /**
+   * NOTE: `refersTo` will be deprecated in 2019. Use `pointsTo` instead.
+   * Gets what this expression might "refer-to". Performs a combination of localized (intra-procedural) points-to
+   *  analysis and global module-level analysis. This points-to analysis favours precision over recall. It is highly
+   *  precise, but may not provide information for a significant number of flow-nodes.
+   *  If the class is unimportant then use `refersTo(value)` or `refersTo(value, origin)` instead.
+   * NOTE: For complex dataflow, involving multiple stages of points-to analysis, it may be more precise to use
+   * `ControlFlowNode.refersTo(...)` instead.
+   */
+  predicate refersTo(Object obj, ClassObject cls, AstNode origin) {
+    this.refersTo(_, obj, cls, origin)
+  }
+
+  /**
+   * NOTE: `refersTo` will be deprecated in 2019. Use `pointsTo` instead.
+   * Gets what this expression might "refer-to" in the given `context`.
+   */
+  predicate refersTo(Context context, Object obj, ClassObject cls, AstNode origin) {
+    this.getAFlowNode()
+        .(ControlFlowNodeWithPointsTo)
+        .refersTo(context, obj, cls, origin.getAFlowNode())
+  }
+
+  /**
+   * NOTE: `refersTo` will be deprecated in 2019. Use `pointsTo` instead.
+   * Holds if this expression might "refer-to" to `value` which is from `origin`
+   * Unlike `this.refersTo(value, _, origin)`, this predicate includes results
+   * where the class cannot be inferred.
+   */
+  pragma[nomagic]
+  predicate refersTo(Object obj, AstNode origin) {
+    this.getAFlowNode().(ControlFlowNodeWithPointsTo).refersTo(obj, origin.getAFlowNode())
+  }
+
+  /**
+   * NOTE: `refersTo` will be deprecated in 2019. Use `pointsTo` instead.
+   * Equivalent to `this.refersTo(value, _)`
+   */
+  predicate refersTo(Object obj) { this.refersTo(obj, _) }
+
+  /**
+   * Holds if this expression might "point-to" to `value` which is from `origin`
+   * in the given `context`.
+   */
+  predicate pointsTo(Context context, Value value, AstNode origin) {
+    this.getAFlowNode()
+        .(ControlFlowNodeWithPointsTo)
+        .pointsTo(context, value, origin.getAFlowNode())
+  }
+
+  /**
+   * Holds if this expression might "point-to" to `value` which is from `origin`.
+   */
+  predicate pointsTo(Value value, AstNode origin) {
+    this.getAFlowNode().(ControlFlowNodeWithPointsTo).pointsTo(value, origin.getAFlowNode())
+  }
+
+  /**
+   * Holds if this expression might "point-to" to `value`.
+   */
+  predicate pointsTo(Value value) { this.pointsTo(value, _) }
+
+  /** Gets a value that this expression might "point-to". */
+  Value pointsTo() { this.pointsTo(result) }
+}

python/ql/lib/semmle/python/Exprs.qll

@@ -1,7 +1,4 @@
-import python
-private import LegacyPointsTo
-private import semmle.python.pointsto.PointsTo
-private import semmle.python.objects.ObjectInternal
+private import python
 private import semmle.python.internal.CachedStages
 
 /** An expression */
@@ -53,71 +50,6 @@ class Expr extends Expr_, AstNode {
   Expr getASubExpression() { none() }
 
   override AstNode getAChildNode() { result = this.getASubExpression() }
-
-  /**
-   * NOTE: `refersTo` will be deprecated in 2019. Use `pointsTo` instead.
-   * Gets what this expression might "refer-to". Performs a combination of localized (intra-procedural) points-to
-   *  analysis and global module-level analysis. This points-to analysis favours precision over recall. It is highly
-   *  precise, but may not provide information for a significant number of flow-nodes.
-   *  If the class is unimportant then use `refersTo(value)` or `refersTo(value, origin)` instead.
-   * NOTE: For complex dataflow, involving multiple stages of points-to analysis, it may be more precise to use
-   * `ControlFlowNode.refersTo(...)` instead.
-   */
-  predicate refersTo(Object obj, ClassObject cls, AstNode origin) {
-    this.refersTo(_, obj, cls, origin)
-  }
-
-  /**
-   * NOTE: `refersTo` will be deprecated in 2019. Use `pointsTo` instead.
-   * Gets what this expression might "refer-to" in the given `context`.
-   */
-  predicate refersTo(Context context, Object obj, ClassObject cls, AstNode origin) {
-    this.getAFlowNode()
-        .(ControlFlowNodeWithPointsTo)
-        .refersTo(context, obj, cls, origin.getAFlowNode())
-  }
-
-  /**
-   * NOTE: `refersTo` will be deprecated in 2019. Use `pointsTo` instead.
-   * Holds if this expression might "refer-to" to `value` which is from `origin`
-   * Unlike `this.refersTo(value, _, origin)`, this predicate includes results
-   * where the class cannot be inferred.
-   */
-  pragma[nomagic]
-  predicate refersTo(Object obj, AstNode origin) {
-    this.getAFlowNode().(ControlFlowNodeWithPointsTo).refersTo(obj, origin.getAFlowNode())
-  }
-
-  /**
-   * NOTE: `refersTo` will be deprecated in 2019. Use `pointsTo` instead.
-   * Equivalent to `this.refersTo(value, _)`
-   */
-  predicate refersTo(Object obj) { this.refersTo(obj, _) }
-
-  /**
-   * Holds if this expression might "point-to" to `value` which is from `origin`
-   * in the given `context`.
-   */
-  predicate pointsTo(Context context, Value value, AstNode origin) {
-    this.getAFlowNode()
-        .(ControlFlowNodeWithPointsTo)
-        .pointsTo(context, value, origin.getAFlowNode())
-  }
-
-  /**
-   * Holds if this expression might "point-to" to `value` which is from `origin`.
-   */
-  predicate pointsTo(Value value, AstNode origin) {
-    this.getAFlowNode().(ControlFlowNodeWithPointsTo).pointsTo(value, origin.getAFlowNode())
-  }
-
-  /**
-   * Holds if this expression might "point-to" to `value`.
-   */
-  predicate pointsTo(Value value) { this.pointsTo(value, _) }
-
-  /** Gets a value that this expression might "point-to". */
-  Value pointsTo() { this.pointsTo(result) }
 }
 
 /** An assignment expression, such as `x := y` */

python/ql/lib/semmle/python/Metrics.qll

@@ -124,7 +124,7 @@ class ClassMetrics extends Class {
       )
       or
       exists(Function f, Call c, ClassObject cls | c.getScope() = f and f.getScope() = this |
-        c.getFunc().refersTo(cls) and
+        c.getFunc().(ExprWithPointsTo).refersTo(cls) and
         cls.getPyClass() = other
       )
     )
@@ -293,7 +293,7 @@ class ModuleMetrics extends Module {
       )
       or
       exists(Function f, Call c, ClassObject cls | c.getScope() = f and f.getScope() = this |
-        c.getFunc().refersTo(cls) and
+        c.getFunc().(ExprWithPointsTo).refersTo(cls) and
         cls.getPyClass().getEnclosingModule() = other
       )
     )

python/ql/lib/semmle/python/objects/ObjectAPI.qll

@@ -697,7 +697,9 @@ abstract class FunctionValue extends CallableValue {
     exists(ClassValue cls, string name |
       cls.declaredAttribute(name) = this and
       name != "__new__" and
-      exists(Expr expr, AstNode origin | expr.pointsTo(this, origin) | not origin instanceof Lambda)
+      exists(ExprWithPointsTo expr, AstNode origin | expr.pointsTo(this, origin) |
+        not origin instanceof Lambda
+      )
     )
   }