JS: fix false positives for splice with conditional index decrement

Napalys · Napalys · commit 66d66fe87d58 · 2025-06-12T14:51:10.000+02:00
diff --git a/javascript/ql/src/Statements/LoopIterationSkippedDueToShifting.ql b/javascript/ql/src/Statements/LoopIterationSkippedDueToShifting.ql
@@ -146,7 +146,12 @@ class ArrayIterationLoop extends ForStmt {
     or
     this.hasPathThrough(splice, cfg.getAPredecessor()) and
     this.getLoopEntry().dominates(cfg.getBasicBlock()) and
-    not this.hasIndexingManipulation(cfg)
+    not this.hasIndexingManipulation(cfg) and
+    // Don't continue through a branch that tests the splice call's return value
+    not exists(ConditionGuardNode guard | cfg = guard |
+      guard.getTest() = splice.asExpr() and
+      guard.getOutcome() = false
+    )
   }
 }
 
diff --git a/javascript/ql/test/query-tests/Statements/LoopIterationSkippedDueToShifting/LoopIterationSkippedDueToShifting.expected b/javascript/ql/test/query-tests/Statements/LoopIterationSkippedDueToShifting/LoopIterationSkippedDueToShifting.expected
@@ -2,5 +2,4 @@
 | tst.js:13:29:13:46 | parts.splice(i, 1) | Removing an array item without adjusting the loop index 'i' causes the subsequent array item to be skipped. |
 | tst.js:24:9:24:26 | parts.splice(i, 1) | Removing an array item without adjusting the loop index 'i' causes the subsequent array item to be skipped. |
 | tst.js:128:11:128:33 | pending ... e(i, 1) | Removing an array item without adjusting the loop index 'i' causes the subsequent array item to be skipped. |
-| tst.js:136:32:136:47 | toc.splice(i, 1) | Removing an array item without adjusting the loop index 'i' causes the subsequent array item to be skipped. |
-| tst.js:143:10:143:25 | toc.splice(i, 1) | Removing an array item without adjusting the loop index 'i' causes the subsequent array item to be skipped. |
+| tst.js:153:11:153:26 | toc.splice(i, 1) | Removing an array item without adjusting the loop index 'i' causes the subsequent array item to be skipped. |
diff --git a/javascript/ql/test/query-tests/Statements/LoopIterationSkippedDueToShifting/tst.js b/javascript/ql/test/query-tests/Statements/LoopIterationSkippedDueToShifting/tst.js
@@ -133,16 +133,26 @@ function withTryCatch(pendingCSS) {
 
 function andOperand(toc) {
   for (let i = 0; i < toc.length; i++) {
-    toc[i].ignoreSubHeading && toc.splice(i, 1) && i--; // $ SPURIOUS:Alert
+    toc[i].ignoreSubHeading && toc.splice(i, 1) && i--;
   }
 }
 
 function ifStatement(toc) {
   for (let i = 0; i < toc.length; i++) {
     if(toc[i].ignoreSubHeading){
-      if(toc.splice(i, 1)){ // $ SPURIOUS:Alert
+      if(toc.splice(i, 1)){
         i--; 
       }
     }
   }
 }
+
+function ifStatement2(toc) {
+  for (let i = 0; i < toc.length; i++) {
+    if(toc[i].ignoreSubHeading){
+      if(!toc.splice(i, 1)){ // $Alert
+        i--;
+      }
+    }
+  }
+}

Original file line number	Diff line number	Diff line change
`@@ -146,7 +146,12 @@ class ArrayIterationLoop extends ForStmt {`
`146`	`146`	`or`
`147`	`147`	`this.hasPathThrough(splice, cfg.getAPredecessor()) and`
`148`	`148`	`this.getLoopEntry().dominates(cfg.getBasicBlock()) and`
`149`		`- not this.hasIndexingManipulation(cfg)`
	`149`	`+ not this.hasIndexingManipulation(cfg) and`
	`150`	`+ // Don't continue through a branch that tests the splice call's return value`
	`151`	`+ not exists(ConditionGuardNode guard \| cfg = guard \|`
	`152`	`+ guard.getTest() = splice.asExpr() and`
	`153`	`+ guard.getOutcome() = false`
	`154`	`+ )`
`150`	`155`	`}`
`151`	`156`	`}`
`152`	`157`
Original file line number	Diff line number	Diff line change
`@@ -133,16 +133,26 @@ function withTryCatch(pendingCSS) {`
`133`	`133`
`134`	`134`	`function andOperand(toc) {`
`135`	`135`	`for (let i = 0; i < toc.length; i++) {`
`136`		`- toc[i].ignoreSubHeading && toc.splice(i, 1) && i--; // $ SPURIOUS:Alert`
	`136`	`+ toc[i].ignoreSubHeading && toc.splice(i, 1) && i--;`
`137`	`137`	`}`
`138`	`138`	`}`
`139`	`139`
`140`	`140`	`function ifStatement(toc) {`
`141`	`141`	`for (let i = 0; i < toc.length; i++) {`
`142`	`142`	`if(toc[i].ignoreSubHeading){`
`143`		`- if(toc.splice(i, 1)){ // $ SPURIOUS:Alert`
	`143`	`+ if(toc.splice(i, 1)){`
`144`	`144`	`i--;`
`145`	`145`	`}`
`146`	`146`	`}`
`147`	`147`	`}`
`148`	`148`	`}`
	`149`	`+`
	`150`	`+function ifStatement2(toc) {`
	`151`	`+ for (let i = 0; i < toc.length; i++) {`
	`152`	`+ if(toc[i].ignoreSubHeading){`
	`153`	`+ if(!toc.splice(i, 1)){ // $Alert`
	`154`	`+ i--;`
	`155`	`+ }`
	`156`	`+ }`
	`157`	`+ }`
	`158`	`+}`