Handle returned values from Function.protoype.apply calls in ACG (#855)

msridhar · web-flow · commit 558624cd27e0 · 2021-01-17T21:32:31.000-08:00
diff --git a/com.ibm.wala.cast.js.rhino/src/test/java/com/ibm/wala/cast/js/rhino/callgraph/fieldbased/test/TestFieldBasedCG.java b/com.ibm.wala.cast.js.rhino/src/test/java/com/ibm/wala/cast/js/rhino/callgraph/fieldbased/test/TestFieldBasedCG.java
@@ -108,7 +108,8 @@ public void testLexicalWorklist() throws WalaException, Error, CancelException {
         },
         new Object[] {"suffix:Function_prototype_call", new String[] {"suffix:f"}},
         new Object[] {"suffix:Function_prototype_apply", new String[] {"suffix:x"}},
-        new Object[] {"suffix:f", new String[] {"suffix:k"}}
+        new Object[] {"suffix:f", new String[] {"suffix:k"}},
+        new Object[] {"suffix:p", new String[] {"suffix:n"}}
       };
 
   @Test
diff --git a/com.ibm.wala.cast.js.rhino/src/test/java/com/ibm/wala/cast/js/test/TestFlowGraphJSON.java b/com.ibm.wala.cast.js.rhino/src/test/java/com/ibm/wala/cast/js/test/TestFlowGraphJSON.java
@@ -77,7 +77,9 @@ public void testCallAndApply() {
             "Param(Func(flowgraph_constraints.js@30), 2)"));
     assertThat(
         Arrays.asList(parsedJSON.get("Ret(Func(flowgraph_constraints.js@30))")),
-        containsInAnyOrder("Var(flowgraph_constraints.js@29, [res1])"));
+        containsInAnyOrder(
+            "Var(flowgraph_constraints.js@29, [res1])",
+            "Var(flowgraph_constraints.js@29, [res2])"));
   }
 
   private static Map<String, String[]> getParsedFlowGraphJSON(String script)
diff --git a/com.ibm.wala.cast.js/src/main/java/com/ibm/wala/cast/js/callgraph/fieldbased/WorklistBasedOptimisticCallgraphBuilder.java b/com.ibm.wala.cast.js/src/main/java/com/ibm/wala/cast/js/callgraph/fieldbased/WorklistBasedOptimisticCallgraphBuilder.java
@@ -75,7 +75,8 @@ public Set<Pair<CallVertex, FuncVertex>> extractCallGraphEdges(
     VertexFactory factory = flowgraph.getVertexFactory();
     Set<Vertex> worklist = HashSetFactory.make();
     Map<Vertex, Set<FuncVertex>> reachingFunctions = HashMapFactory.make();
-    Map<VarVertex, JavaScriptInvoke> reflectiveCalleeVertices = HashMapFactory.make();
+    Map<VarVertex, Pair<JavaScriptInvoke, Boolean>> reflectiveCalleeVertices =
+        HashMapFactory.make();
 
     for (Vertex v : flowgraph) {
       if (v instanceof FuncVertex) {
@@ -116,21 +117,22 @@ public Set<Pair<CallVertex, FuncVertex>> extractCallGraphEdges(
                     reflectiveCalleeVertex,
                     factory.makeReflectiveCallVertex(callVertex.getCaller(), invk));
                 // we only add dataflow edges for Function.prototype.call
-                if (fullName.equals("Lprologue.js/Function_prototype_call")) {
-                  reflectiveCalleeVertices.put(reflectiveCalleeVertex, invk);
-                  for (FuncVertex fw :
-                      MapUtil.findOrCreateSet(reachingFunctions, reflectiveCalleeVertex))
-                    addReflectiveCallEdge(flowgraph, reflectiveCalleeVertex, invk, fw, worklist);
-                }
+                boolean isCall = fullName.equals("Lprologue.js/Function_prototype_call");
+                reflectiveCalleeVertices.put(reflectiveCalleeVertex, Pair.make(invk, isCall));
+                for (FuncVertex fw :
+                    MapUtil.findOrCreateSet(reachingFunctions, reflectiveCalleeVertex))
+                  addReflectiveCallEdge(
+                      flowgraph, reflectiveCalleeVertex, invk, fw, worklist, isCall);
               }
             }
           }
         } else if (handleCallApply && reflectiveCalleeVertices.containsKey(w)) {
-          JavaScriptInvoke invk = reflectiveCalleeVertices.get(w);
+          Pair<JavaScriptInvoke, Boolean> invkAndIsCall = reflectiveCalleeVertices.get(w);
           for (FuncVertex fv : vReach) {
             if (wReach.add(fv)) {
               changed = true;
-              addReflectiveCallEdge(flowgraph, (VarVertex) w, invk, fv, worklist);
+              addReflectiveCallEdge(
+                  flowgraph, (VarVertex) w, invkAndIsCall.fst, fv, worklist, invkAndIsCall.snd);
             }
           }
         } else {
@@ -197,24 +199,27 @@ private void addReflectiveCallEdge(
       VarVertex reflectiveCallee,
       JavaScriptInvoke invk,
       FuncVertex realCallee,
-      Set<Vertex> worklist) {
+      Set<Vertex> worklist,
+      boolean isFunctionPrototypeCall) {
     VertexFactory factory = flowgraph.getVertexFactory();
     FuncVertex caller = reflectiveCallee.getFunction();
 
-    // flow from arguments to parameters
-    for (int i = 2; i < invk.getNumberOfPositionalParameters(); ++i) {
-      addFlowEdge(
-          flowgraph,
-          factory.makeVarVertex(caller, invk.getUse(i)),
-          factory.makeParamVertex(realCallee, i - 1),
-          worklist);
-
-      // flow from return vertex to result vertex
-      addFlowEdge(
-          flowgraph,
-          factory.makeRetVertex(realCallee),
-          factory.makeVarVertex(caller, invk.getDef()),
-          worklist);
+    if (isFunctionPrototypeCall) {
+      // flow from arguments to parameters
+      for (int i = 2; i < invk.getNumberOfPositionalParameters(); ++i) {
+        addFlowEdge(
+            flowgraph,
+            factory.makeVarVertex(caller, invk.getUse(i)),
+            factory.makeParamVertex(realCallee, i - 1),
+            worklist);
+      }
     }
+
+    // flow from return vertex to result vertex
+    addFlowEdge(
+        flowgraph,
+        factory.makeRetVertex(realCallee),
+        factory.makeVarVertex(caller, invk.getDef()),
+        worklist);
   }
 }
diff --git a/com.ibm.wala.cast.js/src/test/resources/tests/fieldbased/reflective_calls.js b/com.ibm.wala.cast.js/src/test/resources/tests/fieldbased/reflective_calls.js
@@ -14,3 +14,12 @@ function h() {
 function k() {}
 
 h();
+
+function m() {
+  return function n() {}
+}
+
+function p() {
+  var x = m.apply(null, []);
+  x();
+}
