Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 73cbdee

Browse files
asger-semmleasger-semmle
committed
JS: Compound assignments and update exprs in range analysis
1 parent a374540 commit 73cbdee

1 file changed

Lines changed: 43 additions & 1 deletion

File tree

javascript/ql/src/semmle/javascript/RangeAnalysis.qll

Lines changed: 43 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -99,10 +99,33 @@ module RangeAnalysis {
9999
result = node
100100
}
101101

102+
/**
103+
* Gets a data flow node holding the result of the add/subtract operation in
104+
* the given increment/decrement expression.
105+
*/
106+
private DataFlow::Node updateExprResult(UpdateExpr expr) {
107+
exists (SsaExplicitDefinition def | def.getDef() = expr |
108+
result = DataFlow::ssaDefinitionNode(def))
109+
or
110+
expr.isPrefix() and
111+
result = expr.flow()
112+
}
113+
114+
/**
115+
* Gets a data flow node holding the result of the given componund assignment.
116+
*/
117+
private DataFlow::Node compoundAssignResult(CompoundAssignExpr expr) {
118+
exists (SsaExplicitDefinition def | def.getDef() = expr |
119+
result = DataFlow::ssaDefinitionNode(def))
120+
or
121+
result = expr.flow()
122+
}
123+
102124
/**
103125
* Holds if `r` can be modelled as `r = root * sign + bias`.
104126
*
105-
* Does not follow data flow edges and is not recursive (that is, `root` may itself be defined linearly).
127+
* Only looks "one step", that is, does not follow data flow and does not recursively
128+
* unfold nested arithmetic expressions.
106129
*/
107130
private predicate linearDefinitionStep(DataFlow::Node r, DataFlow::Node root, int sign, int bias) {
108131
not exists(r.asExpr().getIntValue()) and
@@ -131,6 +154,25 @@ module RangeAnalysis {
131154
root = expr.getOperand().flow() and
132155
bias = 0 and
133156
sign = -1)
157+
or
158+
exists (UpdateExpr update | r = updateExprResult(update) |
159+
root = update.getOperand().flow() and
160+
sign = 1 and
161+
if update instanceof IncExpr then
162+
bias = 1
163+
else
164+
bias = -1)
165+
or
166+
exists (CompoundAssignExpr assign | r = compoundAssignResult(assign) |
167+
root = assign.getLhs().flow() and
168+
sign = 1 and
169+
(
170+
assign instanceof AssignAddExpr and
171+
bias = assign.getRhs().getIntValue()
172+
or
173+
assign instanceof AssignSubExpr and
174+
bias = -assign.getRhs().getIntValue()
175+
))
134176
)
135177
}
136178

0 commit comments

Comments
 (0)