JS: Restructure call graph computation

asger-semmle · asger-semmle · commit 15f0e8585354 · 2019-10-09T12:16:10.000+01:00
diff --git a/javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll b/javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll
@@ -117,14 +117,58 @@ module DataFlow {
     int getIntValue() { result = asExpr().getIntValue() }
 
     /** Gets a function value that may reach this node. */
-    FunctionNode getAFunctionValue() {
-      result.getAstNode() = analyze().getAValue().(AbstractCallable).getFunction()
+    final FunctionNode getAFunctionValue() {
+      result = getAFunctionValue(_)
+    }
+
+    /**
+     * Gets a function value that may reach this node.
+     *
+     * This predicate may be overridden to customize the call graph.
+     *
+     * Note that any additional values added by overiding predicates will not
+     * be propagated along data flow edges.
+     *
+     * `imprecision` is a heuristic measure of how likely it is that `callee`
+     * is only suggested as a potential callee due to
+     * imprecise analysis of global variables and is not, in fact, a viable callee at all.
+     */
+    cached
+    FunctionNode getAFunctionValue(int imprecision) {
+      exists(Function fun |
+        result = fun.flow() and
+        fun = analyze().getAValue().(AbstractCallable).getFunction()
+      |
+        if analyze().getAValue().isIndefinite("global") then
+          fun.getFile() = getFile() and imprecision = 0
+          or
+          fun.inExternsFile() and imprecision = 1
+          or
+          imprecision = 2
+        else
+          imprecision = 0
+      )
       or
+      imprecision = 0 and
       exists(string name |
         GlobalAccessPath::isAssignedInUniqueFile(name) and
         GlobalAccessPath::fromRhs(result) = name and
         GlobalAccessPath::fromReference(this) = name
       )
+      or
+      imprecision = 0 and
+      exists(DataFlow::ClassNode cls |
+        exists(string name |
+          cls.getAnInstanceMemberAccess(name).flowsTo(this) and
+          result = cls.getInstanceMethod(name)
+          or
+          cls.getAStaticMemberAccess(name).flowsTo(this) and
+          result = cls.getStaticMethod(name)
+        )
+        or
+        cls.getAClassReference().flowsTo(this) and
+        result = cls.getConstructor()
+      )
     }
 
     /**
diff --git a/javascript/ql/src/semmle/javascript/dataflow/Nodes.qll b/javascript/ql/src/semmle/javascript/dataflow/Nodes.qll
@@ -104,15 +104,15 @@ class InvokeNode extends DataFlow::SourceNode {
   }
 
   /** Gets an abstract value representing possible callees of this call site. */
-  AbstractValue getACalleeValue() { result = InvokeNode::getACalleeValue(this) }
+  final AbstractValue getACalleeValue() { result = getCalleeNode().analyze().getAValue() }
 
   /**
    * Gets a potential callee of this call site.
    *
    * To alter the call graph as seen by the interprocedural data flow libraries, override
    * the `getACallee(int imprecision)` predicate instead.
    */
-  Function getACallee() { result = InvokeNode::getACallee(this) }
+  final Function getACallee() { result = getACallee(_) }
 
   /**
    * Gets a callee of this call site where `imprecision` is a heuristic measure of how
@@ -125,7 +125,20 @@ class InvokeNode extends DataFlow::SourceNode {
    * This predicate can be overridden to alter the call graph used by the interprocedural
    * data flow libraries.
    */
-  Function getACallee(int imprecision) { result = InvokeNode::getACallee(this, imprecision) }
+  cached
+  Function getACallee(int imprecision) {
+    result.flow() = getCalleeNode().getAFunctionValue(imprecision)
+    or
+    imprecision = 0 and
+    exists(InvokeExpr expr | expr = this.(DataFlow::Impl::ExplicitInvokeNode).asExpr() |
+      result = expr.getResolvedCallee()
+      or
+      exists(DataFlow::ClassNode cls |
+        expr.(SuperCall).getBinder() = cls.getAnInstanceMethodOrConstructor().getFunction() and
+        result = cls.getADirectSuperClass().getConstructor().getFunction()
+      )
+    )
+  }
 
   /**
    * Holds if the approximation of possible callees for this call site is
@@ -173,60 +186,6 @@ class InvokeNode extends DataFlow::SourceNode {
   }
 }
 
-/** Auxiliary module used to cache a few related predicates together. */
-cached
-private module InvokeNode {
-  /** Gets an abstract value representing possible callees of `invk`. */
-  cached
-  AbstractValue getACalleeValue(InvokeNode invk) {
-    result = invk.getCalleeNode().analyze().getAValue()
-  }
-
-  /** Gets a potential callee of `invk` based on dataflow analysis results. */
-  private Function getACalleeFromDataflow(InvokeNode invk) {
-    result = getACalleeValue(invk).(AbstractCallable).getFunction()
-  }
-
-  /** Gets a potential callee of `invk`. */
-  cached
-  Function getACallee(InvokeNode invk) {
-    result = getACalleeFromDataflow(invk)
-    or
-    not exists(getACalleeFromDataflow(invk)) and
-    result = invk.(DataFlow::Impl::ExplicitInvokeNode).asExpr().(InvokeExpr).getResolvedCallee()
-  }
-
-  /**
-   * Gets a callee of `invk` where `imprecision` is a heuristic measure of how
-   * likely it is that `callee` is only suggested as a potential callee due to
-   * imprecise analysis of global variables and is not, in fact, a viable callee at all.
-   *
-   * Callees with imprecision zero, in particular, have either been derived without
-   * considering global variables, or are calls to a global variable within the same file.
-   */
-  cached
-  Function getACallee(InvokeNode invk, int imprecision) {
-    result = getACallee(invk) and
-    (
-      // if global flow was used to derive the callee, we may be imprecise
-      if invk.isIndefinite("global")
-      then
-        // callees within the same file are probably genuine
-        result.getFile() = invk.getFile() and imprecision = 0
-        or
-        // calls to global functions declared in an externs file are fairly
-        // safe as well
-        result.inExternsFile() and imprecision = 1
-        or
-        // otherwise we make worst-case assumptions
-        imprecision = 2
-      else
-        // no global flow, so no imprecision
-        imprecision = 0
-    )
-  }
-}
-
 /** A data flow node corresponding to a function call without `new`. */
 class CallNode extends InvokeNode {
   override DataFlow::Impl::CallNodeDef impl;
@@ -657,6 +616,8 @@ class ClassNode extends DataFlow::SourceNode {
 
   /**
    * Gets a direct super class of this class.
+   *
+   * This predicate can be overridden to customize the class hierarchy.
    */
   ClassNode getADirectSuperClass() { result.getAClassReference().flowsTo(getASuperClassNode()) }
 
@@ -686,8 +647,10 @@ class ClassNode extends DataFlow::SourceNode {
 
   /**
    * Gets a dataflow node that refers to this class object.
+   *
+   * This predicate can be overridden to customize the tracking of class objects.
    */
-  private DataFlow::SourceNode getAClassReference(DataFlow::TypeTracker t) {
+  DataFlow::SourceNode getAClassReference(DataFlow::TypeTracker t) {
     t.start() and
     result.(AnalyzedNode).getAValue() = getAbstractClassValue()
     or
@@ -698,14 +661,16 @@ class ClassNode extends DataFlow::SourceNode {
    * Gets a dataflow node that refers to this class object.
    */
   cached
-  DataFlow::SourceNode getAClassReference() {
+  final DataFlow::SourceNode getAClassReference() {
     result = getAClassReference(DataFlow::TypeTracker::end())
   }
 
   /**
    * Gets a dataflow node that refers to an instance of this class.
+   *
+   * This predicate can be overridden to customize the tracking of class instances.
    */
-  private DataFlow::SourceNode getAnInstanceReference(DataFlow::TypeTracker t) {
+  DataFlow::SourceNode getAnInstanceReference(DataFlow::TypeTracker t) {
     result = getAClassReference(t.continue()).getAnInstantiation()
     or
     t.start() and
@@ -740,10 +705,34 @@ class ClassNode extends DataFlow::SourceNode {
    * Gets a dataflow node that refers to an instance of this class.
    */
   cached
-  DataFlow::SourceNode getAnInstanceReference() {
+  final DataFlow::SourceNode getAnInstanceReference() {
     result = getAnInstanceReference(DataFlow::TypeTracker::end())
   }
 
+  /**
+   * Gets a property read that accesses the property `name` on an instance of this class.
+   *
+   * Concretely, this holds when the base is an instance of this class or a subclass thereof.
+   *
+   * This predicate may be overridden to customize the class hierarchy analysis.
+   */
+  DataFlow::PropRead getAnInstanceMemberAccess(string name) {
+    result = getAnInstanceReference().getAPropertyRead(name)
+    or
+    exists(DataFlow::ClassNode subclass |
+      result = subclass.getAnInstanceMemberAccess(name) and
+      not exists(subclass.getAnInstanceMember(name)) and
+      subclass = getADirectSubClass()
+    )
+  }
+
+  /**
+   * Gets an access to a static member of this class.
+   */
+  DataFlow::PropRead getAStaticMemberAccess(string name) {
+    result = getAClassReference().getAPropertyRead(name)
+  }
+
   /**
    * Holds if this class is exposed in the global scope through the given qualified name.
    */
diff --git a/javascript/ql/src/semmle/javascript/dataflow/internal/FlowSteps.qll b/javascript/ql/src/semmle/javascript/dataflow/internal/FlowSteps.qll
@@ -97,54 +97,11 @@ private module CachedSteps {
     f = cap.getContainer()
   }
 
-  /**
-   * Holds if the method invoked by `invoke` resolved to a member named `name` in `cls`
-   * or one of its super classes.
-   */
-  cached
-  predicate callResolvesToMember(DataFlow::InvokeNode invoke, DataFlow::ClassNode cls, string name) {
-    invoke = cls.getAnInstanceReference().getAMethodCall(name)
-    or
-    exists(DataFlow::ClassNode subclass |
-      callResolvesToMember(invoke, subclass, name) and
-      not exists(subclass.getAnInstanceMember(name)) and
-      cls = subclass.getADirectSuperClass()
-    )
-  }
-
   /**
    * Holds if `invk` may invoke `f`.
    */
   cached
-  predicate calls(DataFlow::InvokeNode invk, Function f) {
-    f = invk.getACallee(0)
-    or
-    exists(DataFlow::ClassNode cls |
-      // Call to class member
-      exists(string name |
-        callResolvesToMember(invk, cls, name) and
-        f = cls.getInstanceMethod(name).getFunction()
-        or
-        invk = cls.getAClassReference().getAMethodCall(name) and
-        f = cls.getStaticMethod(name).getFunction()
-      )
-      or
-      // Call to constructor
-      invk = cls.getAClassReference().getAnInvocation() and
-      f = cls.getConstructor().getFunction()
-      or
-      // Super call to constructor
-      invk.asExpr().(SuperCall).getBinder() = cls.getConstructor().getFunction() and
-      f = cls.getADirectSuperClass().getConstructor().getFunction()
-    )
-    or
-    // Call from `foo.bar.baz()` to `foo.bar.baz = function()`
-    exists(string name |
-      GlobalAccessPath::isAssignedInUniqueFile(name) and
-      GlobalAccessPath::fromRhs(f.flow()) = name and
-      GlobalAccessPath::fromReference(invk.getCalleeNode()) = name
-    )
-  }
+  predicate calls(DataFlow::InvokeNode invk, Function f) { f = invk.getACallee(0) }
 
   /**
    * Holds if `invk` may invoke `f` indirectly through the given `callback` argument.
@@ -525,3 +482,4 @@ module PathSummary {
    */
   PathSummary return() { exists(FlowLabel lbl | result = MkPathSummary(true, false, lbl, lbl)) }
 }
+
