Merge pull request #7344 from SZFsir/main

erik-krogh · web-flow · commit de4458346fcb · 2021-12-13T21:58:53.000+01:00
JS: Improve inter-procedural type inference for FunctionExpr
diff --git a/javascript/ql/lib/semmle/javascript/dataflow/internal/InterProceduralTypeInference.qll b/javascript/ql/lib/semmle/javascript/dataflow/internal/InterProceduralTypeInference.qll
@@ -190,6 +190,14 @@ private VarAccess getOnlyAccess(FunctionDeclStmt fn, LocalVariable v) {
   result = unique(VarAccess acc | acc = v.getAnAccess())
 }
 
+private VarAccess getOnlyAccessToFunctionExpr(FunctionExpr fn, LocalVariable v) {
+  exists(VariableDeclarator decl |
+    fn = decl.getInit() and
+    v = decl.getBindingPattern().getVariable() and
+    result = unique(VarAccess acc | acc = v.getAnAccess())
+  )
+}
+
 /** A function that only is used locally, making it amenable to type inference. */
 class LocalFunction extends Function {
   DataFlow::Impl::ExplicitInvokeNode invk;
@@ -199,6 +207,9 @@ class LocalFunction extends Function {
       getOnlyAccess(this, v) = invk.getCalleeNode().asExpr() and
       not exists(v.getAnAssignedExpr()) and
       not exists(ExportDeclaration export | export.exportsAs(v, _))
+      or
+      getOnlyAccessToFunctionExpr(this, v) = invk.getCalleeNode().asExpr() and
+      not exists(ExportDeclaration export | export.exportsAs(v, _))
     ) and
     // if the function is non-strict and its `arguments` object is accessed, we
     // also assume that there may be other calls (through `arguments.callee`)
diff --git a/javascript/ql/test/library-tests/TypeInference/CallWithAnalyzedReturnFlow/CalleeNodeValue.expected b/javascript/ql/test/library-tests/TypeInference/CallWithAnalyzedReturnFlow/CalleeNodeValue.expected
@@ -58,7 +58,6 @@
 | tst.js:80:5:80:7 | f20 | file://:0:0:0:0 | undefined |
 | tst.js:80:5:80:7 | f20 | tst.js:79:24:79:25 | object literal |
 | tst.js:84:17:84:20 | getF | tst.js:83:20:83:31 | function getF |
-| tst.js:86:13:86:13 | f | file://:0:0:0:0 | indefinite value (call) |
 | tst.js:86:13:86:13 | f | file://:0:0:0:0 | undefined |
 | tst.js:89:17:89:20 | getG | tst.js:88:9:88:25 | function getG |
 | tst.js:91:13:91:13 | g | file://:0:0:0:0 | undefined |
diff --git a/javascript/ql/test/library-tests/TypeInference/LocalFunction/LocalFunction.expected b/javascript/ql/test/library-tests/TypeInference/LocalFunction/LocalFunction.expected
@@ -1,8 +1,10 @@
 | LocalFunction.js:4:5:4:19 | function f1(){} | LocalFunction.js:5:5:5:8 | f1() |
 | LocalFunction.js:11:5:11:19 | function f3(){} | LocalFunction.js:13:5:13:8 | f3() |
 | LocalFunction.js:12:5:12:19 | function f3(){} | LocalFunction.js:13:5:13:8 | f3() |
-| LocalFunction.js:27:5:29:5 | functio ... ;\\n    } | LocalFunction.js:33:17:33:24 | f_zero() |
-| LocalFunction.js:30:5:32:5 | functio ... ;\\n    } | LocalFunction.js:33:5:33:12 | f_null() |
-| LocalFunction.js:35:5:37:5 | functio ... ;\\n    } | LocalFunction.js:41:5:41:12 | f_id1(0) |
-| LocalFunction.js:38:5:40:5 | functio ... ;\\n    } | LocalFunction.js:41:17:41:27 | f_id2(null) |
+| LocalFunction.js:15:14:15:25 | function(){} | LocalFunction.js:16:5:16:8 | f4() |
+| LocalFunction.js:31:5:33:5 | functio ... ;\\n    } | LocalFunction.js:37:17:37:24 | f_zero() |
+| LocalFunction.js:34:5:36:5 | functio ... ;\\n    } | LocalFunction.js:37:5:37:12 | f_null() |
+| LocalFunction.js:39:5:41:5 | functio ... ;\\n    } | LocalFunction.js:45:5:45:12 | f_id1(0) |
+| LocalFunction.js:42:5:44:5 | functio ... ;\\n    } | LocalFunction.js:45:17:45:27 | f_id2(null) |
 | LocalFunction_arguments.js:17:5:20:5 | functio ... e\\n    } | LocalFunction_arguments.js:21:5:21:7 | i() |
+| LocalFunction_arguments.js:40:14:43:5 | functio ... e\\n    } | LocalFunction_arguments.js:44:5:44:8 | i1() |
diff --git a/javascript/ql/test/library-tests/TypeInference/LocalFunction/LocalFunction.js b/javascript/ql/test/library-tests/TypeInference/LocalFunction/LocalFunction.js
@@ -22,6 +22,10 @@
     function f6(){}
     g(f6);
     f6();
+
+    var f7 = function(){}
+    f7();
+    f7();
 })();
 (function types(){
     function f_zero() {
@@ -48,3 +52,9 @@ export default function bar() {
 
 }
 bar();
+
+var foo1 = function foo1(){
+
+}
+foo1();
+export {foo1};
diff --git a/javascript/ql/test/library-tests/TypeInference/LocalFunction/LocalFunction_arguments.js b/javascript/ql/test/library-tests/TypeInference/LocalFunction/LocalFunction_arguments.js
@@ -20,3 +20,26 @@
     }
     i();
 })();
+
+(function(){
+    var f1 = function f1() {
+        arguments.callee()
+    }
+    f1();
+    var g1 = function g1() {
+        var args = arguments;
+        var callee = args.callee;
+        callee();
+    }
+    g1();
+    var h1 = function h1() {
+        var args = arguments;
+        args.callee;
+    }
+    h1();
+    var i1 = function i1() {
+        "use strict";
+        arguments.callee(); // does not work in strict mode
+    }
+    i1();
+})();
diff --git a/javascript/ql/test/query-tests/Expressions/SuspiciousInvocation/SuspiciousInvocation.expected b/javascript/ql/test/query-tests/Expressions/SuspiciousInvocation/SuspiciousInvocation.expected
@@ -3,3 +3,4 @@
 | optional-chaining.js:3:5:3:7 | a() | Callee is not a function: it has type null. |
 | optional-chaining.js:7:5:7:7 | b() | Callee is not a function: it has type undefined. |
 | super.js:11:5:11:11 | super() | Callee is not a function: it has type number. |
+| unreachable-code.js:5:9:5:11 | f() | Callee is not a function: it has type undefined. |
