JS: tweak global flow for closure modules

asger-semmle · asger-semmle · commit 8c96f5f037e0 · 2019-02-15T12:05:35.000Z
diff --git a/javascript/ql/src/semmle/javascript/dataflow/TypeInference.qll b/javascript/ql/src/semmle/javascript/dataflow/TypeInference.qll
@@ -47,6 +47,12 @@ class AnalyzedNode extends DataFlow::Node {
    */
   AnalyzedNode localFlowPred() { result = getAPredecessor() }
 
+  /**
+   * Gets another data flow node whose value flows into this node in a global step
+   * (this is, involvign global variables).
+   */
+  AnalyzedNode globalFlowPred() { none() }
+
   /**
    * Gets an abstract value that this node may evaluate to at runtime.
    *
@@ -57,7 +63,9 @@ class AnalyzedNode extends DataFlow::Node {
    * instances is also performed.
    */
   cached
-  AbstractValue getAValue() { result = getALocalValue() }
+  AbstractValue getAValue() {
+    result = getALocalValue()
+  }
 
   /**
    * INTERNAL: Do not use.
@@ -82,6 +90,9 @@ class AnalyzedNode extends DataFlow::Node {
     exists(DataFlow::Incompleteness cause |
       isIncomplete(cause) and result = TIndefiniteAbstractValue(cause)
     )
+    or
+    result = globalFlowPred().getALocalValue() and
+    shouldTrackGlobally(result)
   }
 
   /** Gets a type inferred for this node. */
@@ -282,3 +293,8 @@ private class AnalyzedAsyncFunction extends AnalyzedFunction {
 
   override AbstractValue getAReturnValue() { result = TAbstractOtherObject() }
 }
+
+/**
+ * Holds if the given value should be propagated along `globalFlowPred()` edges.
+ */
+private predicate shouldTrackGlobally(AbstractValue value) { value instanceof AbstractCallable }
diff --git a/javascript/ql/src/semmle/javascript/dataflow/internal/InterModuleTypeInference.qll b/javascript/ql/src/semmle/javascript/dataflow/internal/InterModuleTypeInference.qll
@@ -360,13 +360,11 @@ private class AnalyzedClosureGlobalAccessPath extends AnalyzedNode, AnalyzedProp
 
   AnalyzedClosureGlobalAccessPath() { accessPath = Closure::getLibraryAccessPath(this) }
 
-  override AnalyzedNode localFlowPred() {
+  override AnalyzedNode globalFlowPred() {
     exists(DataFlow::PropWrite write |
       Closure::getWrittenLibraryAccessPath(write) = accessPath and
       result = write.getRhs()
     )
-    or
-    result = AnalyzedNode.super.localFlowPred()
   }
 
   override predicate reads(AbstractValue base, string propName) {

Original file line number	Diff line number	Diff line change
`@@ -360,13 +360,11 @@ private class AnalyzedClosureGlobalAccessPath extends AnalyzedNode, AnalyzedProp`
`360`	`360`
`361`	`361`	`AnalyzedClosureGlobalAccessPath() { accessPath = Closure::getLibraryAccessPath(this) }`
`362`	`362`
`363`		`- override AnalyzedNode localFlowPred() {`
	`363`	`+ override AnalyzedNode globalFlowPred() {`
`364`	`364`	`exists(DataFlow::PropWrite write \|`
`365`	`365`	`Closure::getWrittenLibraryAccessPath(write) = accessPath and`
`366`	`366`	`result = write.getRhs()`
`367`	`367`	`)`
`368`		`- or`
`369`		`- result = AnalyzedNode.super.localFlowPred()`
`370`	`368`	`}`
`371`	`369`
`372`	`370`	`override predicate reads(AbstractValue base, string propName) {`