Skip to content

Python: Port simple points-to queries without DCA alert changes#21519

Open
tausbn wants to merge 21 commits intomainfrom
tausbn/python-port-no-alert-change
Open

Python: Port simple points-to queries without DCA alert changes#21519
tausbn wants to merge 21 commits intomainfrom
tausbn/python-port-no-alert-change

Conversation

@tausbn
Copy link
Contributor

@tausbn tausbn commented Mar 19, 2026

A spin-off of #21350, containing only those changes that did not result in alert changes according to DCA. This should hopefully make it easier to review.

tausbn added 15 commits March 20, 2026 13:28
@tausbn
Python: Use API graphs instead of points-to for simple built-ins
f4841e1 
Also extends the list of known built-ins slightly, to add some that were
missing.
@tausbn
Python: Port py/print-during-import
1dcc769 
Uses a (perhaps) slightly coarser approximation of what modules are
imported, but it's probably fine.
@tausbn
Python: Introduce DuckTyping module
33ed603 
This module (which for convenience currently resides inside
`DataFlowDispatch`, but this may change later) contains convenience
predicates for bridging the gap between the data-flow layer and the old
points-to analysis.
@tausbn
Python: Add DuckTyping::isNewStyle
cd92162 
Approximates the behaviour of `Types::isNewStyle` but without depending
on points-to
@tausbn
Python: Add declares/getAttribute API
b57e921 
These could arguably be moved to `Class` itself, but for now I'm
choosing to limit the changes to the `DuckTyping` module (until we
decide on a proper API).
@tausbn
Python: Port SlotsInOldStyleClass.ql
3d20050 
Only trivial test changes.
@tausbn
Python: Port SuperInOldStyleClass.ql
e860d70
@tausbn
Python: Port PropertyInOldStyleClass.ql
8cfdea2 
Only trivial test changes.
@tausbn
Python: Port UselessClass.ql
025a7d0 
No test changes.
@tausbn
Python: Port ShouldBeContextManager.ql
283231b 
Only trivial test changes.
@tausbn
Python: Extend DuckTyping module
c04b615 
Adds `overridesMethod` and `isPropertyAccessor`.
@tausbn
Python: Port DocStrings.ql
fa8e4f7
@tausbn
Python: Add DuckTyping::hasUnreliableMro
50b3b7e 
Primarily used to filter out false positives in cases where our MRO
approximation may be wrong.
@tausbn
Python: Port DeprecatedSliceMethod.ql
3584ad1 
Only trivial test changes.
@tausbn
Python: Add change note
434b397
@tausbn tausbn force-pushed the tausbn/python-port-no-alert-change branch from 7a255dc to 434b397 Compare March 20, 2026 13:30
@tausbn tausbn marked this pull request as ready for review March 23, 2026 13:28
@tausbn tausbn requested a review from a team as a code owner March 23, 2026 13:28
Copilot AI review requested due to automatic review settings March 23, 2026 13:28
Copilot AI reviewed Mar 23, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Ports a set of Python QL queries away from the legacy points-to library (while aiming to avoid DCA-observed alert changes), updating shared libraries and test expectations to match the new resolution approach.

Changes:

  • Replace LegacyPointsTo usage in several Python queries with semmle.python.ApiGraphs and/or DataFlowDispatch.DuckTyping.
  • Introduce a DuckTyping helper module in DataFlowDispatch.qll for structural class/property checks.
  • Update query test .expected files and add a change note for the analysis change.

Reviewed changes

Copilot reviewed 20 out of 20 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
python/ql/src/Variables/SuspiciousUnusedLoopIterationVariable.ql Switches range/list(range) detection from points-to to API graph call matching.
python/ql/src/Statements/UnnecessaryDelete.ql Replaces points-to detection of sys.exc_info calls with API graph matching.
python/ql/src/Statements/TopLevelPrint.ql Removes points-to dependency and adds a local predicate to detect “used as module”.
python/ql/src/Statements/SideEffectInAssert.ql Replaces points-to matching of subprocess.* calls with API graph matching.
python/ql/src/Statements/DocStrings.ql Replaces points-to override/property checks with DuckTyping-based checks.
python/ql/src/Imports/DeprecatedModule.ql Replaces points-to check for ImportError with API graph value reachability.
python/ql/src/Functions/DeprecatedSliceMethod.ql Uses DuckTyping to exclude overrides/unresolved bases instead of points-to method modeling.
python/ql/src/Expressions/UseofApply.ql Matches apply(...) via API graphs for Python 2 instead of points-to.
python/ql/src/Classes/UselessClass.ql Replaces inheritance checks based on points-to class values with class hierarchy predicates.
python/ql/src/Classes/SuperInOldStyleClass.ql Uses DuckTyping::isNewStyle instead of points-to-derived class object inference.
python/ql/src/Classes/SlotsInOldStyleClass.ql Uses DuckTyping attribute declaration checks instead of points-to class object inference.
python/ql/src/Classes/ShouldBeContextManager.ql Uses DuckTyping context manager/method checks instead of points-to class values.
python/ql/src/Classes/PropertyInOldStyleClass.ql Detects @property functions in old-style classes without points-to.
python/ql/lib/semmle/python/dataflow/new/internal/DataFlowDispatch.qll Adds DuckTyping module with structural predicates and MRO-related helpers.
python/ql/lib/semmle/python/dataflow/new/internal/Builtins.qll Extends builtins list (notably adds exit/quit etc.) and includes apply for Py2.
python/ql/test/query-tests/Functions/general/DeprecatedSliceMethod.expected Updates expected result rendering for the updated query entity selection.
python/ql/test/query-tests/Classes/should-be-context-manager/ShouldBeContextManager.expected Updates expected result rendering for the updated query entity selection.
python/ql/test/2/query-tests/Classes/new-style/SlotsInOldStyleClass.expected Updates expected result rendering for the updated query entity selection.
python/ql/test/2/query-tests/Classes/new-style/PropertyInOldStyleClass.expected Updates expected result location/entity rendering for the updated query.
python/ql/src/change-notes/2026-03-13-port-simple-points-to-queries.md Adds a change note describing the points-to removal work.

tausbn and others added 2 commits March 23, 2026 15:07
@tausbn
Python: Fix typo in comment
5859590 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@tausbn
Python: Make comment more precise
56c83e2 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
yoff
yoff previously approved these changes Mar 23, 2026
View reviewed changes
Copy link
Contributor

@yoff yoff left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good. It is great to get started on this!
Very nice presentation, this was super easy to review :-)

tausbn added 3 commits March 23, 2026 14:55
@tausbn
Python: Select property instead of function
1ffcdc9 
in PropertyInOldStyleClass. This matches the previous behaviour more
closely.
@tausbn
Python: Add ternary overridesMethod
a276f72 
This one also allows easy access to the method being overridden and the
class on which it resides. This let's us simplify DocStrings.ql
accordingly.
@tausbn
Python: Make isNewType more precise
93e3566 
For module-level metaclass declarations, we now also check that the
right hand side in a `__metaclass__ = type` assignment is in fact the
built-in `type`.
@tausbn tausbn requested a review from yoff March 23, 2026 15:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@yoff yoff Awaiting requested review from yoff

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

documentation Python

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@tausbn @yoff