-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathtest.txt
139 lines (130 loc) · 4.32 KB
/
test.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
class FilterJumpStep extends TypeTrackingInput::AdditionalCapturedJumpStep {
/**
* Holds if data can flow from `pred` to `succ` via a callback chain.
*/
predicate test(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
exists(Attribute attr, SelfAttributeStore store, DataFlow::Node objNode |
attr.getObject() = objNode.asExpr()
and attr.getName() = store.getName()
and objNode.getALocalSource().asExpr() = store.getClass().getClassObject().getACall().getNode()
and nodeFrom.asExpr() = attr
and nodeTo.asExpr() = store.getAssignedValue()
)
}
override predicate othercapturedjumpstep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
// Class Base:
// var = expr
// ...
// def f(self):
// ...self.var is used...
//
// Class Sub(Base):
// def g(self):
// ...self.var is used...
//
// nodeFrom is `expr`
// nodeTo is entry node for `self.var`
exists(SelfAttributeRead read, Class baseClass, Class subClass |
baseClass.contains(nodeFrom.asExpr()) and
(
exists(ClassObject subClassObj |
subClassObj.getABaseType*() = baseClass.getClassObject() and
subClassObj = subClass.getClassObject()
)
or
subClass = baseClass
)
and
subClass.contains(read) and
read.getName() = nodeFrom.asExpr().toString() and
nodeTo.asCfgNode() = read.getAFlowNode()
)
// Class Base:
// def __init__(self, expr=expr):
// self.var = expr
//
// def f(self):
// ...self.var is used...
//
// Class Sub(Base):
// def g(self):
// ...self.var is used...
//
// nodeFrom is `expr`
// nodeTo is entry node for `self.var`
or
exists(SelfAttributeStore store, SelfAttributeRead read, Class subClass |
nodeFrom.asExpr() = store.getAssignedValue() and
(
exists(Class baseClass, ClassObject subClassObj |
baseClass = store.getClass() and
subClassObj.getABaseType*() = baseClass.getClassObject() and
subClassObj = subClass.getClassObject()
)
or
subClass = store.getClass()
)
and
subClass.contains(read) and
read.getName() = store.getName() and
nodeTo.asCfgNode() = read.getAFlowNode()
)
or
exists(Attribute attr, SelfAttributeStore store, DataFlow::Node objNode |
attr.getObject() = objNode.asExpr()
and attr.getName() = store.getName()
and objNode.getALocalSource().asExpr() = store.getClass().getClassObject().getACall().getNode()
and nodeFrom.asExpr() = store.getAssignedValue()
and nodeTo.asExpr() = attr
)
}
}
/**
* A unit class for adding additional jump steps.
*
* Extend this class to add additional jump steps.
*/
class AdditionalCapturedJumpStep extends Unit {
/**
* Holds if data can flow from `pred` to `succ` in a way that discards call contexts.
*/
abstract predicate othercapturedjumpstep(Node pred, Node succ);
}
private predicate capturedJumpStep(Node nodeFrom, Node nodeTo) {
// Jump into a capturing scope.
//
// var = expr
// ...
// def f():
// ..var is used..
//
// nodeFrom is `expr`
// nodeTo is entry node for `f`
exists(ScopeEntryDefinition e, SsaSourceVariable var, DefinitionNode def |
e.getSourceVariable() = var and
var.hasDefiningNode(def)
|
nodeTo.(DataFlowPublic::ScopeEntryDefinitionNode).getDefinition() = e and
nodeFrom.asCfgNode() = def.getValue() and
var.getScope().getScope*() = nodeFrom.getScope()
)
or
any(AdditionalCapturedJumpStep s).othercapturedjumpstep(nodeFrom, nodeTo)
}
predicate test(Node node1, Node node2) {
exists(int n, int i, API::CallNode callNode, Function func |
callNode = API::moduleImport("threading").getMember("Thread").getACall()
and
not callNode.getScope().getLocation().getFile().inStdlib()
and
n = callNode.getParameter(3, "args").asSink().asCfgNode().(TupleObject).getLength()
and
i in [0 .. n]
and
node1.asExpr() = callNode.getParameter(3, "args").asSink().asCfgNode().getNode().(Tuple).getElts().getItem(i)
and
callNode.getParameter(1, "target").asSink().asCfgNode().getNode().toString() = func.getName()
and
node2.asExpr() = func.getArgs().getItem(i)
)
}