JS: Make type inference flow go through ssa definition node

2026-04-28 10:15:14 +02:00 · 2019-08-18 21:40:32 +01:00
parent aa009d07fd
commit 9f2f10fa15
2 changed files with 23 additions and 14 deletions
--- a/javascript/ql/src/semmle/javascript/dataflow/internal/VariableTypeInference.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/internal/VariableTypeInference.qll
@@ -33,25 +33,21 @@ private class AnalyzedCapturedVariable extends @variable {
 /**
 * Flow analysis for accesses to SSA variables.
 */
-private class SsaVarAccessAnalysis extends DataFlow::AnalyzedValueNode {
-  AnalyzedSsaDefinition def;
-
-  SsaVarAccessAnalysis() { astNode = def.getVariable().getAUse() }
-
-  override AbstractValue getALocalValue() { result = def.getAnRhsValue() }
+private class AnalyzedSsaDefinitionNode extends AnalyzedNode, DataFlow::SsaDefinitionNode {
+  override AbstractValue getALocalValue() { result = ssa.(AnalyzedSsaDefinition).getAnRhsValue() }
 }

 /**
 * Flow analysis for accesses to SSA variables.
 *
- * Unlike `SsaVarAccessAnalysis`, this only contributes to `getAValue()`, not `getALocalValue()`.
+ * Unlike `AnalyzedSsaDefinitionNode`, this only contributes to `getAValue()`, not `getALocalValue()`.
 */
-private class SsaVarAccessWithNonLocalAnalysis extends SsaVarAccessAnalysis {
+private class AnalyzedSsaDefinitionNodeWithNonLocalAnalysis extends AnalyzedSsaDefinitionNode {
  DataFlow::AnalyzedValueNode src;

-  SsaVarAccessWithNonLocalAnalysis() {
+  AnalyzedSsaDefinitionNodeWithNonLocalAnalysis() {
    exists(VarDef varDef |
-      varDef = def.(SsaExplicitDefinition).getDef() and
+      varDef = ssa.(SsaExplicitDefinition).getDef() and
      varDef.getSource().flow() = src and
      src instanceof CallWithNonLocalAnalyzedReturnFlow
    )
@@ -60,6 +56,23 @@ private class SsaVarAccessWithNonLocalAnalysis extends SsaVarAccessAnalysis {
  override AbstractValue getAValue() { result = src.getAValue() }
 }

+/**
+ * Flow analysis for SSA variable uses.
+ *
+ * Ensures that `getAValue` propagates from the SSA definition to its use.
+ */
+private class AnalyzedSsaVariableUse extends AnalyzedValueNode {
+  AnalyzedSsaVariableUse() {
+    this = DataFlow::valueNode(any(SsaVariable v).getAUse())
+  }
+
+  override AbstractValue getAValue() {
+    result = AnalyzedValueNode.super.getAValue()
+    or
+    result = localFlowPred().getAValue()
+  }
+}
+
 /**
 * Flow analysis for `VarDef`s.
 */
--- a/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
+++ b/javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected
@@ -1,8 +1,4 @@
 typeInferenceMismatch
-| addexpr.js:4:10:4:17 | source() | addexpr.js:4:5:4:17 | x |
-| addexpr.js:4:10:4:17 | source() | addexpr.js:6:3:6:14 | x |
-| addexpr.js:11:15:11:22 | source() | addexpr.js:17:5:17:18 | value |
-| addexpr.js:11:15:11:22 | source() | addexpr.js:19:3:19:14 | value |
 | destruct.js:20:7:20:14 | source() | destruct.js:13:14:13:19 | [a, b] |
 #select
 | access-path-sanitizer.js:2:18:2:25 | source() | access-path-sanitizer.js:4:8:4:12 | obj.x |