JavaScript: Fix data flow out of reflective calls.

We were previously missing a data-flow edge from reflected calls to the corresponding reflective call, that is, for `f.call(...)` we didn't have a flow edge from the implicit call to `f` to the result of `f.call(...)`.
2026-05-05 05:35:13 +02:00 · 2019-07-01 20:40:46 +01:00
parent 7f95c20345
commit 91a718cfe5
9 changed files with 23 additions and 0 deletions
--- a/javascript/ql/test/library-tests/DataFlow/flowStep.expected
+++ b/javascript/ql/test/library-tests/DataFlow/flowStep.expected
@@ -140,6 +140,7 @@
 | tst.js:111:23:111:25 | v2c | tst.js:111:6:111:38 | v2c |
 | tst.js:111:29:111:31 | o2c | tst.js:111:6:111:38 | v2c |
 | tst.js:111:36:111:38 | o2d | tst.js:111:6:111:32 | [v2a, v ...  = o2c] |
+| tst.js:115:1:115:12 | reflective call | tst.js:115:1:115:12 | Array.call() |
 | tst.ts:1:1:1:1 | A | tst.ts:1:11:1:11 | A |
 | tst.ts:1:1:1:1 | A | tst.ts:7:1:7:0 | A |
 | tst.ts:1:1:5:1 | A | tst.ts:7:1:7:0 | A |
--- a/javascript/ql/test/library-tests/DataFlow/incomplete.expected
+++ b/javascript/ql/test/library-tests/DataFlow/incomplete.expected
@@ -82,6 +82,11 @@
 | tst.js:111:23:111:25 | v2c | heap |
 | tst.js:111:29:111:31 | o2c | global |
 | tst.js:111:36:111:38 | o2d | global |
+| tst.js:115:1:115:5 | Array | global |
+| tst.js:115:1:115:10 | Array.call | global |
+| tst.js:115:1:115:10 | Array.call | heap |
+| tst.js:115:1:115:12 | Array.call() | call |
+| tst.js:115:1:115:12 | exceptional return of Array.call() | call |
 | tst.ts:2:14:2:19 | x | namespace |
 | tst.ts:3:3:3:8 | exceptional return of setX() | call |
 | tst.ts:3:3:3:8 | setX() | call |
--- a/javascript/ql/test/library-tests/DataFlow/sources.expected
+++ b/javascript/ql/test/library-tests/DataFlow/sources.expected
@@ -85,6 +85,10 @@
 | tst.js:111:23:111:25 | v2c |
 | tst.js:111:29:111:31 | o2c |
 | tst.js:111:36:111:38 | o2d |
+| tst.js:115:1:115:5 | Array |
+| tst.js:115:1:115:10 | Array.call |
+| tst.js:115:1:115:12 | Array.call() |
+| tst.js:115:1:115:12 | reflective call |
 | tst.ts:1:1:1:0 | this |
 | tst.ts:3:3:3:8 | setX() |
 | tst.ts:7:1:7:0 | this |
--- a/javascript/ql/test/library-tests/DataFlow/tst.js
+++ b/javascript/ql/test/library-tests/DataFlow/tst.js
@@ -111,4 +111,7 @@ x ?? y;                           // flow through short-circuiting operator
 	var [v2a, v2b = o2b, v2c = o2c] = o2d;
 	v2a + v2b + v2c;
 });
+
+Array.call()  // flow from implicit call to `Array` to `Array.call`
+
 // semmle-extractor-options: --experimental