Python: wip block flow from captured variables

I think a better approach is to first write a test
identifying double flow, then see that disappear.

Author: yoff

python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPrivate.qll

@@ -288,53 +288,65 @@ class DataFlowExpr = Expr;
  * Some syntaxtic constructs are handled separately.
  */
 module LocalFlow {
+  private predicate capturedVariableRead(Node n) {
+    n.asExpr() = any(VariableCapture::CapturedVariable v).getALoad()
+  }
+
   /** Holds if `nodeFrom` is the expression defining the value for the variable `nodeTo`. */
   predicate definitionFlowStep(Node nodeFrom, Node nodeTo) {
-    // Definition
-    //   `x = f(42)`
-    //   nodeFrom is `f(42)`
-    //   nodeTo is `x`
-    exists(AssignmentDefinition def |
-      nodeFrom.(CfgNode).getNode() = def.getValue() and
-      nodeTo.(CfgNode).getNode() = def.getDefiningNode()
-    )
-    or
-    // With definition
-    //   `with f(42) as x:`
-    //   nodeFrom is `f(42)`
-    //   nodeTo is `x`
-    exists(With with, ControlFlowNode contextManager, WithDefinition withDef, ControlFlowNode var |
-      var = withDef.getDefiningNode()
-    |
-      nodeFrom.(CfgNode).getNode() = contextManager and
-      nodeTo.(CfgNode).getNode() = var and
-      // see `with_flow` in `python/ql/src/semmle/python/dataflow/Implementation.qll`
-      with.getContextExpr() = contextManager.getNode() and
-      with.getOptionalVars() = var.getNode() and
-      contextManager.strictlyDominates(var)
-      // note: we allow this for both `with` and `async with`, since some
-      // implementations do `async def __aenter__(self): return self`, so you can do
-      // both:
-      // * `foo = x.foo(); await foo.async_method(); foo.close()` and
-      // * `async with x.foo() as foo: await foo.async_method()`.
+    not capturedVariableRead(nodeTo) and
+    (
+      // Definition
+      //   `x = f(42)`
+      //   nodeFrom is `f(42)`
+      //   nodeTo is `x`
+      exists(AssignmentDefinition def |
+        nodeFrom.(CfgNode).getNode() = def.getValue() and
+        nodeTo.(CfgNode).getNode() = def.getDefiningNode()
+      )
+      or
+      // With definition
+      //   `with f(42) as x:`
+      //   nodeFrom is `f(42)`
+      //   nodeTo is `x`
+      exists(
+        With with, ControlFlowNode contextManager, WithDefinition withDef, ControlFlowNode var
+      |
+        var = withDef.getDefiningNode()
+      |
+        nodeFrom.(CfgNode).getNode() = contextManager and
+        nodeTo.(CfgNode).getNode() = var and
+        // see `with_flow` in `python/ql/src/semmle/python/dataflow/Implementation.qll`
+        with.getContextExpr() = contextManager.getNode() and
+        with.getOptionalVars() = var.getNode() and
+        contextManager.strictlyDominates(var)
+        // note: we allow this for both `with` and `async with`, since some
+        // implementations do `async def __aenter__(self): return self`, so you can do
+        // both:
+        // * `foo = x.foo(); await foo.async_method(); foo.close()` and
+        // * `async with x.foo() as foo: await foo.async_method()`.
+      )
     )
   }
 
   predicate expressionFlowStep(Node nodeFrom, Node nodeTo) {
-    // If expressions
-    nodeFrom.asCfgNode() = nodeTo.asCfgNode().(IfExprNode).getAnOperand()
-    or
-    // Assignment expressions
-    nodeFrom.asCfgNode() = nodeTo.asCfgNode().(AssignmentExprNode).getValue()
-    or
-    // boolean inline expressions such as `x or y` or `x and y`
-    nodeFrom.asCfgNode() = nodeTo.asCfgNode().(BoolExprNode).getAnOperand()
-    or
-    // Flow inside an unpacking assignment
-    iterableUnpackingFlowStep(nodeFrom, nodeTo)
-    or
-    // Flow inside a match statement
-    matchFlowStep(nodeFrom, nodeTo)
+    not capturedVariableRead(nodeTo) and
+    (
+      // If expressions
+      nodeFrom.asCfgNode() = nodeTo.asCfgNode().(IfExprNode).getAnOperand()
+      or
+      // Assignment expressions
+      nodeFrom.asCfgNode() = nodeTo.asCfgNode().(AssignmentExprNode).getValue()
+      or
+      // boolean inline expressions such as `x or y` or `x and y`
+      nodeFrom.asCfgNode() = nodeTo.asCfgNode().(BoolExprNode).getAnOperand()
+      or
+      // Flow inside an unpacking assignment
+      iterableUnpackingFlowStep(nodeFrom, nodeTo)
+      or
+      // Flow inside a match statement
+      matchFlowStep(nodeFrom, nodeTo)
+    )
   }
 
   predicate useToNextUse(NameNode nodeFrom, NameNode nodeTo) {
@@ -346,22 +358,25 @@ module LocalFlow {
   }
 
   predicate useUseFlowStep(Node nodeFrom, Node nodeTo) {
-    // First use after definition
-    //   `y = 42`
-    //   `x = f(y)`
-    //   nodeFrom is `y` on first line
-    //   nodeTo is `y` on second line
-    exists(EssaDefinition def |
-      nodeFrom.(CfgNode).getNode() = def.(EssaNodeDefinition).getDefiningNode() and
-      AdjacentUses::firstUse(def, nodeTo.(CfgNode).getNode())
+    // not capturedVariableRead(nodeTo) and
+    (
+      // First use after definition
+      //   `y = 42`
+      //   `x = f(y)`
+      //   nodeFrom is `y` on first line
+      //   nodeTo is `y` on second line
+      exists(EssaDefinition def |
+        nodeFrom.(CfgNode).getNode() = def.(EssaNodeDefinition).getDefiningNode() and
+        AdjacentUses::firstUse(def, nodeTo.(CfgNode).getNode())
+      )
+      or
+      // Next use after use
+      //   `x = f(y)`
+      //   `z = y + 1`
+      //   nodeFrom is 'y' on first line, cfg node
+      //   nodeTo is `y` on second line, cfg node
+      useToNextUse(nodeFrom.asCfgNode(), nodeTo.asCfgNode())
     )
-    or
-    // Next use after use
-    //   `x = f(y)`
-    //   `z = y + 1`
-    //   nodeFrom is 'y' on first line, cfg node
-    //   nodeTo is `y` on second line, cfg node
-    useToNextUse(nodeFrom.asCfgNode(), nodeTo.asCfgNode())
   }
 
   predicate localFlowStep(Node nodeFrom, Node nodeTo) {