JS: Handle implicit return in getImmediatePredecessor

2025-12-16 16:53:25 +01:00 · 2019-08-01 11:05:35 +01:00
parent 8e1893d0ed
commit 5397da7579
2 changed files with 9 additions and 7 deletions
--- a/javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll
@@ -166,11 +166,7 @@ module DataFlow {
     * Gets the immediate predecessor of this node, if any.
     *
     * A node with an immediate predecessor can usually only have the value that flows
-     * into its from its immediate predecessor, currently with one exception:
-     *
-     * - An immediately-invoked function expression with a single return expression `e`
-     *   has `e` as its immediate predecessor, even if the function can fall over the
-     *   end and return `undefined`.
+     * into its from its immediate predecessor.
     */
    cached
    DataFlow::Node getImmediatePredecessor() {
@@ -190,11 +186,11 @@ module DataFlow {
      )
      or
      // IIFE call -> return value of IIFE
-      // Note: not sound in case function falls over end and returns 'undefined'
      exists(Function fun |
        localCall(this.asExpr(), fun) and
        result = fun.getAReturnedExpr().flow() and
-        strictcount(fun.getAReturnedExpr()) = 1
+        strictcount(fun.getAReturnedExpr()) = 1 and
+        not fun.getExit().isJoin() // can only reach exit by the return statement
      )
    }
  }
--- a/javascript/ql/test/query-tests/Statements/UselessComparisonTest/implicitReturn.js
+++ b/javascript/ql/test/query-tests/Statements/UselessComparisonTest/implicitReturn.js
@@ -0,0 +1,6 @@
+function test() {
+  let x = (function() {
+    if (g) return 5;
+  })();
+  if (x + 1 < 5) {} // OK
+}