Merge pull request #7344 from SZFsir/main

JS: Improve inter-procedural type inference for FunctionExpr
2026-05-12 18:29:30 +02:00 · 2021-12-13 21:58:53 +01:00
parent dc27089714 efc9e67ec2
commit de4458346f
6 changed files with 51 additions and 5 deletions
--- a/javascript/ql/lib/semmle/javascript/dataflow/internal/InterProceduralTypeInference.qll
+++ b/javascript/ql/lib/semmle/javascript/dataflow/internal/InterProceduralTypeInference.qll
@@ -190,6 +190,14 @@ private VarAccess getOnlyAccess(FunctionDeclStmt fn, LocalVariable v) {
  result = unique(VarAccess acc | acc = v.getAnAccess())
 }

+private VarAccess getOnlyAccessToFunctionExpr(FunctionExpr fn, LocalVariable v) {
+  exists(VariableDeclarator decl |
+    fn = decl.getInit() and
+    v = decl.getBindingPattern().getVariable() and
+    result = unique(VarAccess acc | acc = v.getAnAccess())
+  )
+}
+
 /** A function that only is used locally, making it amenable to type inference. */
 class LocalFunction extends Function {
  DataFlow::Impl::ExplicitInvokeNode invk;
@@ -199,6 +207,9 @@ class LocalFunction extends Function {
      getOnlyAccess(this, v) = invk.getCalleeNode().asExpr() and
      not exists(v.getAnAssignedExpr()) and
      not exists(ExportDeclaration export | export.exportsAs(v, _))
+      or
+      getOnlyAccessToFunctionExpr(this, v) = invk.getCalleeNode().asExpr() and
+      not exists(ExportDeclaration export | export.exportsAs(v, _))
    ) and
    // if the function is non-strict and its `arguments` object is accessed, we
    // also assume that there may be other calls (through `arguments.callee`)