Python: Call analysis fails in some scenarios

[mckirk]

While trying to use the 'pointsTo' approach for some basic control-flow-based queries (please let me know if there's a better approach to find 'all statements reachable from a function entry-point'), I've noticed that currently, some calls are incorrectly picked up without any value to point to.

MWE:

import sys

def mwe_callable():
    print("Hello, World!") # works

def mwe_broken():
    if herp := sys.argv[1]:
        raise Exception("merp") # broken
    
    mwe_callable() # broken

def mwe_broken2():
    if herp := "derp":
        print("merp") # broken
    
    mwe_callable() # works

def mwe_works():
    if sys.argv[1] == "derp":
        raise Exception("merp") # works
    
    mwe_callable() # works

def mwe_works2():
    print("merp") # works
    mwe_callable() # works

Test query:

import python

from Function f, Call c, Expr e
where
  f.contains(c) and
  e = c.getFunc() and
  not exists(Value v | e.pointsTo() = v)
select f, c, e

Every call I've marked here as 'broken' is returned by the query as not having any Value to point to, whereas the other calls are correctly identified and associated with their target.

I am using:

• CodeQL CLI 2.21.0
• CodeQL VSCode extension 1.17.2
• codeql/python-all@4.0.4
• Python extractor 1.22.1

[joefarebrother]

Hello @mckirk
The pointsTo analysis API is not really supported or maintained any more.
For function call resolution, unfortunately the new call graph does not yet have a stable public-facing API, partly because direct call resolution is rarely needed; in favor of data flow / taint tracking. But if you do need it, this comment shows how to dig out the new call resolution predicate.