Skip to content

Commit 91b9e95

Browse files
asgerfasgerf
committed
JS: Fix join ordering in analysis of add expressions
1 parent 6a37e4b commit 91b9e95

File tree

1 file changed

+19
-15
lines changed

1 file changed

+19
-15
lines changed

javascript/ql/src/semmle/javascript/dataflow/internal/BasicExprTypeInference.qll

Lines changed: 19 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -239,39 +239,43 @@ private class AnalyzedBinaryExpr extends DataFlow::AnalyzedValueNode {
239239
}
240240

241241
/**
242-
* Gets a primitive type to which the local value of `e` can be coerced.
242+
* Gets the `n`th operand of the given `+` or `+=` expression.
243243
*/
244-
private PrimitiveType getALocalPrimitiveType(Expr e) {
245-
result = e.analyze().getALocalValue().toPrimitive().getType()
244+
pragma[nomagic]
245+
private DataFlow::AnalyzedValueNode getAddOperand(Expr e, int n) {
246+
(e instanceof AddExpr or e instanceof AssignAddExpr) and
247+
result = DataFlow::valueNode(e.getChildExpr(n))
246248
}
247249

248250
/**
249-
* Holds if `e` may hold a string value.
250-
*/
251-
private predicate maybeString(Expr e) { getALocalPrimitiveType(e) = TTString() }
252-
253-
/**
254-
* Holds if `e` may hold a non-string value.
251+
* Gets a primitive type of the `n`th operand of the given `+` or `+=` expression.
255252
*/
256-
private predicate maybeNonString(Expr e) { getALocalPrimitiveType(e) != TTString() }
253+
pragma[noopt]
254+
private PrimitiveType getAnAddOperandPrimitiveType(Expr e, int n) {
255+
exists(DataFlow::AnalyzedValueNode operand, AbstractValue value, AbstractValue prim |
256+
operand = getAddOperand(e, n) and
257+
value = operand.getALocalValue() and
258+
prim = value.toPrimitive() and
259+
result = prim.getType() and
260+
result instanceof PrimitiveType
261+
)
262+
}
257263

258264
/**
259265
* Holds if `e` is a `+` or `+=` expression that could be interpreted as a string append
260266
* (as opposed to a numeric addition) at runtime.
261267
*/
262268
private predicate isStringAppend(Expr e) {
263-
(e instanceof AddExpr or e instanceof AssignAddExpr) and
264-
maybeString(e.getAChildExpr())
269+
getAnAddOperandPrimitiveType(e, _) = TTString()
265270
}
266271

267272
/**
268273
* Holds if `e` is a `+` or `+=` expression that could be interpreted as a numeric addition
269274
* (as opposed to a string append) at runtime.
270275
*/
271276
private predicate isAddition(Expr e) {
272-
(e instanceof AddExpr or e instanceof AssignAddExpr) and
273-
maybeNonString(e.getChildExpr(0)) and
274-
maybeNonString(e.getChildExpr(1))
277+
getAnAddOperandPrimitiveType(e, 0) != TTString() and
278+
getAnAddOperandPrimitiveType(e, 1) != TTString()
275279
}
276280

277281
/**

0 commit comments

Comments
 (0)