Swift: sync tests pass with additional flow steps

d10c · d10c · commit 66291d35755c · 2022-11-08T11:09:55.000+01:00
TODO: Convert those flow steps to taint flow models in the library.
diff --git a/swift/ql/src/queries/Security/CWE-094/UnsafeJsEval.ql b/swift/ql/src/queries/Security/CWE-094/UnsafeJsEval.ql
@@ -94,8 +94,57 @@ class UnsafeJsEvalConfig extends TaintTracking::Configuration {
 
   override predicate isSink(DataFlow::Node node) { node instanceof Sink }
 
-  override predicate isSanitizer(DataFlow::Node node) {
-    none() // TODO: A conversion to a primitive type or an enum
+  // TODO: convert to new taint flow models
+  override predicate isAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+    exists(Argument arg |
+      arg =
+        any(CallExpr ce |
+          ce.getStaticTarget()
+              .(MethodDecl)
+              .hasQualifiedName("WKUserScript",
+                [
+                  "init(source:injectionTime:forMainFrameOnly:)",
+                  "init(source:injectionTime:forMainFrameOnly:in:)"
+                ])
+        ).getArgument(0)
+      or
+      arg =
+        any(CallExpr ce |
+          ce.getStaticTarget()
+              .(FreeFunctionDecl)
+              .hasName([
+                  "JSStringCreateWithUTF8CString(_:)", "JSStringCreateWithCharacters(_:_:)",
+                  "JSStringRetain(_:)"
+                ])
+        ).getArgument(0)
+    |
+      nodeFrom.asExpr() = arg.getExpr() and
+      nodeTo.asExpr() = arg.getApplyExpr()
+    )
+    or
+    exists(CallExpr ce, Expr self, AbstractClosureExpr closure |
+      ce.getStaticTarget()
+          .getName()
+          .matches(["withContiguousStorageIfAvailable(%)", "withUnsafeBufferPointer(%)"]) and
+      self = ce.getQualifier() and
+      ce.getArgument(0).getExpr() = closure
+    |
+      nodeFrom.asExpr() = self and
+      nodeTo.(DataFlow::ParameterNode).getParameter() = closure.getParam(0)
+    )
+    or
+    exists(MemberRefExpr e, Expr self, VarDecl member |
+      self.getType().getName() = "String" and
+      member.getName() = ["utf16", "utf8CString"]
+      or
+      self.getType().getName().matches(["Unsafe%Buffer%", "Unsafe%Pointer%"]) and
+      member.getName() = ["baseAddress"]
+    |
+      e.getBase() = self and
+      e.getMember() = member and
+      nodeFrom.asExpr() = self and
+      nodeTo.asExpr() = e
+    )
   }
 }
 
diff --git a/swift/ql/test/query-tests/Security/CWE-094/UnsafeJsEval.expected b/swift/ql/test/query-tests/Security/CWE-094/UnsafeJsEval.expected
@@ -0,0 +1,84 @@
+edges
+| UnsafeJsEval.swift:123:21:123:42 | string :  | UnsafeJsEval.swift:123:70:123:70 | string :  |
+| UnsafeJsEval.swift:164:10:164:37 | try ... :  | UnsafeJsEval.swift:200:21:200:35 | call to getRemoteData() :  |
+| UnsafeJsEval.swift:164:10:164:37 | try ... :  | UnsafeJsEval.swift:203:7:203:21 | call to getRemoteData() :  |
+| UnsafeJsEval.swift:164:14:164:37 | call to init(contentsOf:) :  | UnsafeJsEval.swift:164:10:164:37 | try ... :  |
+| UnsafeJsEval.swift:200:21:200:35 | call to getRemoteData() :  | UnsafeJsEval.swift:204:7:204:7 | remoteString :  |
+| UnsafeJsEval.swift:200:21:200:35 | call to getRemoteData() :  | UnsafeJsEval.swift:207:7:207:39 | ... .+(_:_:) ... :  |
+| UnsafeJsEval.swift:203:7:203:21 | call to getRemoteData() :  | UnsafeJsEval.swift:264:13:264:13 | string :  |
+| UnsafeJsEval.swift:203:7:203:21 | call to getRemoteData() :  | UnsafeJsEval.swift:267:13:267:13 | string :  |
+| UnsafeJsEval.swift:203:7:203:21 | call to getRemoteData() :  | UnsafeJsEval.swift:275:13:275:13 | string :  |
+| UnsafeJsEval.swift:203:7:203:21 | call to getRemoteData() :  | UnsafeJsEval.swift:278:13:278:13 | string :  |
+| UnsafeJsEval.swift:203:7:203:21 | call to getRemoteData() :  | UnsafeJsEval.swift:284:13:284:13 | string :  |
+| UnsafeJsEval.swift:203:7:203:21 | call to getRemoteData() :  | UnsafeJsEval.swift:298:13:298:13 | string :  |
+| UnsafeJsEval.swift:204:7:204:7 | remoteString :  | UnsafeJsEval.swift:264:13:264:13 | string :  |
+| UnsafeJsEval.swift:204:7:204:7 | remoteString :  | UnsafeJsEval.swift:267:13:267:13 | string :  |
+| UnsafeJsEval.swift:204:7:204:7 | remoteString :  | UnsafeJsEval.swift:275:13:275:13 | string :  |
+| UnsafeJsEval.swift:204:7:204:7 | remoteString :  | UnsafeJsEval.swift:278:13:278:13 | string :  |
+| UnsafeJsEval.swift:204:7:204:7 | remoteString :  | UnsafeJsEval.swift:284:13:284:13 | string :  |
+| UnsafeJsEval.swift:204:7:204:7 | remoteString :  | UnsafeJsEval.swift:298:13:298:13 | string :  |
+| UnsafeJsEval.swift:207:7:207:39 | ... .+(_:_:) ... :  | UnsafeJsEval.swift:264:13:264:13 | string :  |
+| UnsafeJsEval.swift:207:7:207:39 | ... .+(_:_:) ... :  | UnsafeJsEval.swift:267:13:267:13 | string :  |
+| UnsafeJsEval.swift:207:7:207:39 | ... .+(_:_:) ... :  | UnsafeJsEval.swift:275:13:275:13 | string :  |
+| UnsafeJsEval.swift:207:7:207:39 | ... .+(_:_:) ... :  | UnsafeJsEval.swift:278:13:278:13 | string :  |
+| UnsafeJsEval.swift:207:7:207:39 | ... .+(_:_:) ... :  | UnsafeJsEval.swift:284:13:284:13 | string :  |
+| UnsafeJsEval.swift:207:7:207:39 | ... .+(_:_:) ... :  | UnsafeJsEval.swift:298:13:298:13 | string :  |
+| UnsafeJsEval.swift:264:13:264:13 | string :  | UnsafeJsEval.swift:265:22:265:107 | call to init(source:injectionTime:forMainFrameOnly:) |
+| UnsafeJsEval.swift:267:13:267:13 | string :  | UnsafeJsEval.swift:268:22:268:124 | call to init(source:injectionTime:forMainFrameOnly:in:) |
+| UnsafeJsEval.swift:275:13:275:13 | string :  | UnsafeJsEval.swift:276:26:276:26 | string |
+| UnsafeJsEval.swift:278:13:278:13 | string :  | UnsafeJsEval.swift:279:26:279:26 | string |
+| UnsafeJsEval.swift:284:13:284:13 | string :  | UnsafeJsEval.swift:285:3:285:10 | .utf16 :  |
+| UnsafeJsEval.swift:285:3:285:10 | .utf16 :  | UnsafeJsEval.swift:285:51:285:51 | stringBytes :  |
+| UnsafeJsEval.swift:285:51:285:51 | stringBytes :  | UnsafeJsEval.swift:286:31:286:97 | call to JSStringCreateWithCharacters(_:_:) :  |
+| UnsafeJsEval.swift:285:51:285:51 | stringBytes :  | UnsafeJsEval.swift:290:17:290:17 | jsstr |
+| UnsafeJsEval.swift:286:16:286:98 | call to JSStringRetain(_:) :  | UnsafeJsEval.swift:290:17:290:17 | jsstr |
+| UnsafeJsEval.swift:286:31:286:97 | call to JSStringCreateWithCharacters(_:_:) :  | UnsafeJsEval.swift:123:21:123:42 | string :  |
+| UnsafeJsEval.swift:286:31:286:97 | call to JSStringCreateWithCharacters(_:_:) :  | UnsafeJsEval.swift:286:16:286:98 | call to JSStringRetain(_:) :  |
+| UnsafeJsEval.swift:286:31:286:97 | call to JSStringCreateWithCharacters(_:_:) :  | UnsafeJsEval.swift:290:17:290:17 | jsstr |
+| UnsafeJsEval.swift:298:13:298:13 | string :  | UnsafeJsEval.swift:299:3:299:10 | .utf8CString :  |
+| UnsafeJsEval.swift:299:3:299:10 | .utf8CString :  | UnsafeJsEval.swift:299:48:299:48 | stringBytes :  |
+| UnsafeJsEval.swift:299:48:299:48 | stringBytes :  | UnsafeJsEval.swift:300:31:300:84 | call to JSStringCreateWithUTF8CString(_:) :  |
+| UnsafeJsEval.swift:299:48:299:48 | stringBytes :  | UnsafeJsEval.swift:304:17:304:17 | jsstr |
+| UnsafeJsEval.swift:300:16:300:85 | call to JSStringRetain(_:) :  | UnsafeJsEval.swift:304:17:304:17 | jsstr |
+| UnsafeJsEval.swift:300:31:300:84 | call to JSStringCreateWithUTF8CString(_:) :  | UnsafeJsEval.swift:123:21:123:42 | string :  |
+| UnsafeJsEval.swift:300:31:300:84 | call to JSStringCreateWithUTF8CString(_:) :  | UnsafeJsEval.swift:300:16:300:85 | call to JSStringRetain(_:) :  |
+| UnsafeJsEval.swift:300:31:300:84 | call to JSStringCreateWithUTF8CString(_:) :  | UnsafeJsEval.swift:304:17:304:17 | jsstr |
+nodes
+| UnsafeJsEval.swift:123:21:123:42 | string :  | semmle.label | string :  |
+| UnsafeJsEval.swift:123:70:123:70 | string :  | semmle.label | string :  |
+| UnsafeJsEval.swift:164:10:164:37 | try ... :  | semmle.label | try ... :  |
+| UnsafeJsEval.swift:164:14:164:37 | call to init(contentsOf:) :  | semmle.label | call to init(contentsOf:) :  |
+| UnsafeJsEval.swift:200:21:200:35 | call to getRemoteData() :  | semmle.label | call to getRemoteData() :  |
+| UnsafeJsEval.swift:203:7:203:21 | call to getRemoteData() :  | semmle.label | call to getRemoteData() :  |
+| UnsafeJsEval.swift:204:7:204:7 | remoteString :  | semmle.label | remoteString :  |
+| UnsafeJsEval.swift:207:7:207:39 | ... .+(_:_:) ... :  | semmle.label | ... .+(_:_:) ... :  |
+| UnsafeJsEval.swift:264:13:264:13 | string :  | semmle.label | string :  |
+| UnsafeJsEval.swift:265:22:265:107 | call to init(source:injectionTime:forMainFrameOnly:) | semmle.label | call to init(source:injectionTime:forMainFrameOnly:) |
+| UnsafeJsEval.swift:267:13:267:13 | string :  | semmle.label | string :  |
+| UnsafeJsEval.swift:268:22:268:124 | call to init(source:injectionTime:forMainFrameOnly:in:) | semmle.label | call to init(source:injectionTime:forMainFrameOnly:in:) |
+| UnsafeJsEval.swift:275:13:275:13 | string :  | semmle.label | string :  |
+| UnsafeJsEval.swift:276:26:276:26 | string | semmle.label | string |
+| UnsafeJsEval.swift:278:13:278:13 | string :  | semmle.label | string :  |
+| UnsafeJsEval.swift:279:26:279:26 | string | semmle.label | string |
+| UnsafeJsEval.swift:284:13:284:13 | string :  | semmle.label | string :  |
+| UnsafeJsEval.swift:285:3:285:10 | .utf16 :  | semmle.label | .utf16 :  |
+| UnsafeJsEval.swift:285:51:285:51 | stringBytes :  | semmle.label | stringBytes :  |
+| UnsafeJsEval.swift:286:16:286:98 | call to JSStringRetain(_:) :  | semmle.label | call to JSStringRetain(_:) :  |
+| UnsafeJsEval.swift:286:31:286:97 | call to JSStringCreateWithCharacters(_:_:) :  | semmle.label | call to JSStringCreateWithCharacters(_:_:) :  |
+| UnsafeJsEval.swift:290:17:290:17 | jsstr | semmle.label | jsstr |
+| UnsafeJsEval.swift:298:13:298:13 | string :  | semmle.label | string :  |
+| UnsafeJsEval.swift:299:3:299:10 | .utf8CString :  | semmle.label | .utf8CString :  |
+| UnsafeJsEval.swift:299:48:299:48 | stringBytes :  | semmle.label | stringBytes :  |
+| UnsafeJsEval.swift:300:16:300:85 | call to JSStringRetain(_:) :  | semmle.label | call to JSStringRetain(_:) :  |
+| UnsafeJsEval.swift:300:31:300:84 | call to JSStringCreateWithUTF8CString(_:) :  | semmle.label | call to JSStringCreateWithUTF8CString(_:) :  |
+| UnsafeJsEval.swift:304:17:304:17 | jsstr | semmle.label | jsstr |
+subpaths
+| UnsafeJsEval.swift:286:31:286:97 | call to JSStringCreateWithCharacters(_:_:) :  | UnsafeJsEval.swift:123:21:123:42 | string :  | UnsafeJsEval.swift:123:70:123:70 | string :  | UnsafeJsEval.swift:286:16:286:98 | call to JSStringRetain(_:) :  |
+| UnsafeJsEval.swift:300:31:300:84 | call to JSStringCreateWithUTF8CString(_:) :  | UnsafeJsEval.swift:123:21:123:42 | string :  | UnsafeJsEval.swift:123:70:123:70 | string :  | UnsafeJsEval.swift:300:16:300:85 | call to JSStringRetain(_:) :  |
+#select
+| UnsafeJsEval.swift:265:22:265:107 | call to init(source:injectionTime:forMainFrameOnly:) | UnsafeJsEval.swift:164:14:164:37 | call to init(contentsOf:) :  | UnsafeJsEval.swift:265:22:265:107 | call to init(source:injectionTime:forMainFrameOnly:) | Evaluation of uncontrolled JavaScript from a remote source. |
+| UnsafeJsEval.swift:268:22:268:124 | call to init(source:injectionTime:forMainFrameOnly:in:) | UnsafeJsEval.swift:164:14:164:37 | call to init(contentsOf:) :  | UnsafeJsEval.swift:268:22:268:124 | call to init(source:injectionTime:forMainFrameOnly:in:) | Evaluation of uncontrolled JavaScript from a remote source. |
+| UnsafeJsEval.swift:276:26:276:26 | string | UnsafeJsEval.swift:164:14:164:37 | call to init(contentsOf:) :  | UnsafeJsEval.swift:276:26:276:26 | string | Evaluation of uncontrolled JavaScript from a remote source. |
+| UnsafeJsEval.swift:279:26:279:26 | string | UnsafeJsEval.swift:164:14:164:37 | call to init(contentsOf:) :  | UnsafeJsEval.swift:279:26:279:26 | string | Evaluation of uncontrolled JavaScript from a remote source. |
+| UnsafeJsEval.swift:290:17:290:17 | jsstr | UnsafeJsEval.swift:164:14:164:37 | call to init(contentsOf:) :  | UnsafeJsEval.swift:290:17:290:17 | jsstr | Evaluation of uncontrolled JavaScript from a remote source. |
+| UnsafeJsEval.swift:304:17:304:17 | jsstr | UnsafeJsEval.swift:164:14:164:37 | call to init(contentsOf:) :  | UnsafeJsEval.swift:304:17:304:17 | jsstr | Evaluation of uncontrolled JavaScript from a remote source. |
diff --git a/swift/ql/test/query-tests/Security/CWE-094/UnsafeJsEval.swift b/swift/ql/test/query-tests/Security/CWE-094/UnsafeJsEval.swift
@@ -167,7 +167,7 @@ func getRemoteData() -> String {
 	}
 }
 
-func testUsage(_ sink: @escaping (String) async throws -> ()) {
+func testAsync(_ sink: @escaping (String) async throws -> ()) {
 	Task {
 		let localString = "console.log('localString')"
 		let localStringFragment = "'localStringFragment'"
@@ -184,7 +184,7 @@ func testUsage(_ sink: @escaping (String) async throws -> ()) {
 		let remoteData = Data(remoteString.utf8)
 
 		try! await sink(String(decoding: localData, as: UTF8.self)) // GOOD: the data is local
-		try! await sink(String(decoding: remoteData, as: UTF8.self)) // BAD: the data is remote
+		try! await sink(String(decoding: remoteData, as: UTF8.self)) // BAD [NOT DETECTED]: the data is remote (TODO: model Data taint sources)
 
 		try! await sink("console.log(" + String(Int(localStringFragment) ?? 0) + ")") // GOOD: Primitive conversion
 		try! await sink("console.log(" + String(Int(remoteString) ?? 0) + ")") // GOOD: Primitive conversion
@@ -194,69 +194,94 @@ func testUsage(_ sink: @escaping (String) async throws -> ()) {
 	}
 }
 
+func testSync(_ sink: @escaping (String) -> ()) {
+	let localString = "console.log('localString')"
+	let localStringFragment = "'localStringFragment'"
+	let remoteString = getRemoteData()
+
+	sink(localString) // GOOD: the HTML data is local
+	sink(getRemoteData()) // BAD: HTML contains remote input, may access local secrets
+	sink(remoteString) // BAD
+
+	sink("console.log(" + localStringFragment + ")") // GOOD: the HTML data is local
+	sink("console.log(" + remoteString + ")") // BAD
+
+	let localData = Data(localString.utf8)
+	let remoteData = Data(remoteString.utf8)
+
+	sink(String(decoding: localData, as: UTF8.self)) // GOOD: the data is local
+	sink(String(decoding: remoteData, as: UTF8.self)) // BAD [NOT DETECTED]: the data is remote (TODO: model Data taint sources)
+
+	sink("console.log(" + String(Int(localStringFragment) ?? 0) + ")") // GOOD: Primitive conversion
+	sink("console.log(" + String(Int(remoteString) ?? 0) + ")") // GOOD: Primitive conversion
+
+	sink("console.log(" + (localStringFragment.count != 0 ? "1" : "0") + ")") // GOOD: Primitive conversion
+	sink("console.log(" + (remoteString.count != 0 ? "1" : "0") + ")") // GOOD: Primitive conversion
+}
+
 func testUIWebView() {
 	let webview = UIWebView()
 
-	testUsage { string in
+	testAsync { string in
 		_ = await webview.stringByEvaluatingJavaScript(from: string)
 	}
 }
 
 func testWebView() {
 	let webview = WebView()
 
-	testUsage { string in
+	testAsync { string in
 		_ = await webview.stringByEvaluatingJavaScript(from: string)
 	}
 }
 
 func testWKWebView() {
 	let webview = WKWebView()
 
-	testUsage { string in
+	testAsync { string in
 		_ = try await webview.evaluateJavaScript(string)
 	}
-	testUsage { string in
+	testAsync { string in
 		await webview.evaluateJavaScript(string) { _, _ in }
 	}
-	testUsage { string in
+	testAsync { string in
 		await webview.evaluateJavaScript(string, in: nil, in: WKContentWorld.defaultClient) { _ in }
 	}
-	testUsage { string in
+	testAsync { string in
 		_ = try await webview.evaluateJavaScript(string, contentWorld: .defaultClient)
 	}
-	testUsage { string in
+	testAsync { string in
 		await webview.callAsyncJavaScript(string, in: nil, in: .defaultClient) { _ in () }
 	}
-	testUsage { string in
+	testAsync { string in
 		_ = try await webview.callAsyncJavaScript(string, contentWorld: WKContentWorld.defaultClient)
 	}
 }
 
 func testWKUserContentController() {
 	let ctrl = WKUserContentController()
 
-	testUsage { string in
+	testSync { string in
 		ctrl.addUserScript(WKUserScript(source: string, injectionTime: .atDocumentStart, forMainFrameOnly: false))
 	}
-	testUsage { string in
+	testSync { string in
 		ctrl.addUserScript(WKUserScript(source: string, injectionTime: .atDocumentEnd, forMainFrameOnly: true, in: .defaultClient))
 	}
 }
 
 func testJSContext() {
 	let ctx = JSContext()
 
-	testUsage { string in
+	testSync { string in
 		_ = ctx.evaluateScript(string)
 	}
-	testUsage { string in
+	testSync { string in
 		_ = ctx.evaluateScript(string, withSourceURL: URL(string: "https://example.com"))
 	}
 }
 
 func testJSEvaluateScript() {
-	testUsage { string in
+	testSync { string in
 		string.utf16.withContiguousStorageIfAvailable { stringBytes in
 			let jsstr = JSStringRetain(JSStringCreateWithCharacters(stringBytes.baseAddress, string.count))
 			defer { JSStringRelease(jsstr) }
@@ -270,7 +295,7 @@ func testJSEvaluateScript() {
 			)
 		}
 	}
-	testUsage { string in
+	testSync { string in
 		string.utf8CString.withUnsafeBufferPointer { stringBytes in
 			let jsstr = JSStringRetain(JSStringCreateWithUTF8CString(stringBytes.baseAddress))
 			defer { JSStringRelease(jsstr) }

Original file line number	Diff line number	Diff line change
`@@ -167,7 +167,7 @@ func getRemoteData() -> String {`
`167`	`167`	`}`
`168`	`168`	`}`
`169`	`169`
`170`		`-func testUsage(_ sink: @escaping (String) async throws -> ()) {`
	`170`	`+func testAsync(_ sink: @escaping (String) async throws -> ()) {`
`171`	`171`	`Task {`
`172`	`172`	`let localString = "console.log('localString')"`
`173`	`173`	`let localStringFragment = "'localStringFragment'"`
`@@ -184,7 +184,7 @@ func testUsage(_ sink: @escaping (String) async throws -> ()) {`
`184`	`184`	`let remoteData = Data(remoteString.utf8)`
`185`	`185`
`186`	`186`	`try! await sink(String(decoding: localData, as: UTF8.self)) // GOOD: the data is local`
`187`		`- try! await sink(String(decoding: remoteData, as: UTF8.self)) // BAD: the data is remote`
	`187`	`+ try! await sink(String(decoding: remoteData, as: UTF8.self)) // BAD [NOT DETECTED]: the data is remote (TODO: model Data taint sources)`
`188`	`188`
`189`	`189`	`try! await sink("console.log(" + String(Int(localStringFragment) ?? 0) + ")") // GOOD: Primitive conversion`
`190`	`190`	`try! await sink("console.log(" + String(Int(remoteString) ?? 0) + ")") // GOOD: Primitive conversion`
`@@ -194,69 +194,94 @@ func testUsage(_ sink: @escaping (String) async throws -> ()) {`
`194`	`194`	`}`
`195`	`195`	`}`
`196`	`196`
	`197`	`+func testSync(_ sink: @escaping (String) -> ()) {`
	`198`	`+ let localString = "console.log('localString')"`
	`199`	`+ let localStringFragment = "'localStringFragment'"`
	`200`	`+ let remoteString = getRemoteData()`
	`201`	`+`
	`202`	`+ sink(localString) // GOOD: the HTML data is local`
	`203`	`+ sink(getRemoteData()) // BAD: HTML contains remote input, may access local secrets`
	`204`	`+ sink(remoteString) // BAD`
	`205`	`+`
	`206`	`+ sink("console.log(" + localStringFragment + ")") // GOOD: the HTML data is local`
	`207`	`+ sink("console.log(" + remoteString + ")") // BAD`
	`208`	`+`
	`209`	`+ let localData = Data(localString.utf8)`
	`210`	`+ let remoteData = Data(remoteString.utf8)`
	`211`	`+`
	`212`	`+ sink(String(decoding: localData, as: UTF8.self)) // GOOD: the data is local`
	`213`	`+ sink(String(decoding: remoteData, as: UTF8.self)) // BAD [NOT DETECTED]: the data is remote (TODO: model Data taint sources)`
	`214`	`+`
	`215`	`+ sink("console.log(" + String(Int(localStringFragment) ?? 0) + ")") // GOOD: Primitive conversion`
	`216`	`+ sink("console.log(" + String(Int(remoteString) ?? 0) + ")") // GOOD: Primitive conversion`
	`217`	`+`
	`218`	`+ sink("console.log(" + (localStringFragment.count != 0 ? "1" : "0") + ")") // GOOD: Primitive conversion`
	`219`	`+ sink("console.log(" + (remoteString.count != 0 ? "1" : "0") + ")") // GOOD: Primitive conversion`
	`220`	`+}`
	`221`	`+`
`197`	`222`	`func testUIWebView() {`
`198`	`223`	`let webview = UIWebView()`
`199`	`224`
`200`		`- testUsage { string in`
	`225`	`+ testAsync { string in`
`201`	`226`	`_ = await webview.stringByEvaluatingJavaScript(from: string)`
`202`	`227`	`}`
`203`	`228`	`}`
`204`	`229`
`205`	`230`	`func testWebView() {`
`206`	`231`	`let webview = WebView()`
`207`	`232`
`208`		`- testUsage { string in`
	`233`	`+ testAsync { string in`
`209`	`234`	`_ = await webview.stringByEvaluatingJavaScript(from: string)`
`210`	`235`	`}`
`211`	`236`	`}`
`212`	`237`
`213`	`238`	`func testWKWebView() {`
`214`	`239`	`let webview = WKWebView()`
`215`	`240`
`216`		`- testUsage { string in`
	`241`	`+ testAsync { string in`
`217`	`242`	`_ = try await webview.evaluateJavaScript(string)`
`218`	`243`	`}`
`219`		`- testUsage { string in`
	`244`	`+ testAsync { string in`
`220`	`245`	`await webview.evaluateJavaScript(string) { _, _ in }`
`221`	`246`	`}`
`222`		`- testUsage { string in`
	`247`	`+ testAsync { string in`
`223`	`248`	`await webview.evaluateJavaScript(string, in: nil, in: WKContentWorld.defaultClient) { _ in }`
`224`	`249`	`}`
`225`		`- testUsage { string in`
	`250`	`+ testAsync { string in`
`226`	`251`	`_ = try await webview.evaluateJavaScript(string, contentWorld: .defaultClient)`
`227`	`252`	`}`
`228`		`- testUsage { string in`
	`253`	`+ testAsync { string in`
`229`	`254`	`await webview.callAsyncJavaScript(string, in: nil, in: .defaultClient) { _ in () }`
`230`	`255`	`}`
`231`		`- testUsage { string in`
	`256`	`+ testAsync { string in`
`232`	`257`	`_ = try await webview.callAsyncJavaScript(string, contentWorld: WKContentWorld.defaultClient)`
`233`	`258`	`}`
`234`	`259`	`}`
`235`	`260`
`236`	`261`	`func testWKUserContentController() {`
`237`	`262`	`let ctrl = WKUserContentController()`
`238`	`263`
`239`		`- testUsage { string in`
	`264`	`+ testSync { string in`
`240`	`265`	`ctrl.addUserScript(WKUserScript(source: string, injectionTime: .atDocumentStart, forMainFrameOnly: false))`
`241`	`266`	`}`
`242`		`- testUsage { string in`
	`267`	`+ testSync { string in`
`243`	`268`	`ctrl.addUserScript(WKUserScript(source: string, injectionTime: .atDocumentEnd, forMainFrameOnly: true, in: .defaultClient))`
`244`	`269`	`}`
`245`	`270`	`}`
`246`	`271`
`247`	`272`	`func testJSContext() {`
`248`	`273`	`let ctx = JSContext()`
`249`	`274`
`250`		`- testUsage { string in`
	`275`	`+ testSync { string in`
`251`	`276`	`_ = ctx.evaluateScript(string)`
`252`	`277`	`}`
`253`		`- testUsage { string in`
	`278`	`+ testSync { string in`
`254`	`279`	`_ = ctx.evaluateScript(string, withSourceURL: URL(string: "https://example.com"))`
`255`	`280`	`}`
`256`	`281`	`}`
`257`	`282`
`258`	`283`	`func testJSEvaluateScript() {`
`259`		`- testUsage { string in`
	`284`	`+ testSync { string in`
`260`	`285`	`string.utf16.withContiguousStorageIfAvailable { stringBytes in`
`261`	`286`	`let jsstr = JSStringRetain(JSStringCreateWithCharacters(stringBytes.baseAddress, string.count))`
`262`	`287`	`defer { JSStringRelease(jsstr) }`
`@@ -270,7 +295,7 @@ func testJSEvaluateScript() {`
`270`	`295`	`)`
`271`	`296`	`}`
`272`	`297`	`}`
`273`		`- testUsage { string in`
	`298`	`+ testSync { string in`
`274`	`299`	`string.utf8CString.withUnsafeBufferPointer { stringBytes in`
`275`	`300`	`let jsstr = JSStringRetain(JSStringCreateWithUTF8CString(stringBytes.baseAddress))`
`276`	`301`	`defer { JSStringRelease(jsstr) }`