JavaScript: Model data flow of destructuring assignments more precisely.

Max Schaefer · Max Schaefer · commit d2993b9e04b1 · 2018-10-25T15:31:46.000+01:00
diff --git a/javascript/ql/src/semmle/javascript/BasicBlocks.qll b/javascript/ql/src/semmle/javascript/BasicBlocks.qll
@@ -67,7 +67,27 @@ private cached module Internal {
   }
 
   cached predicate defAt(BasicBlock bb, int i, Variable v, VarDef d) {
-    v = d.getAVariable() and bbIndex(bb, d, i)
+    exists (VarRef def |
+      def = d.getTarget().(BindingPattern).getABindingVarRef() and
+      v = def.getVariable() |
+      def = d.getTarget() and
+      bbIndex(bb, d, i)
+      or
+      exists (PropertyPattern pp |
+        def = pp.getValuePattern() and
+        bbIndex(bb, pp, i)
+      )
+      or
+      exists (ObjectPattern op |
+        def = op.getRest() and
+        bbIndex(bb, def, i)
+      )
+      or
+      exists (ArrayPattern ap |
+        def = ap.getAnElement() and
+        bbIndex(bb, def, i)
+      )
+    )
   }
 
   cached predicate reachableBB(BasicBlock bb) {
diff --git a/javascript/ql/test/library-tests/Flow/AbstractValues.expected b/javascript/ql/test/library-tests/Flow/AbstractValues.expected
@@ -59,6 +59,8 @@
 | d.js:1:1:4:0 | exports object of module d |
 | d.js:1:1:4:0 | module object of module d |
 | d.js:1:18:3:1 | object literal |
+| destructuring.js:1:1:4:1 | function f |
+| destructuring.js:1:1:4:1 | instance of function f |
 | e.js:1:1:6:0 | exports object of module e |
 | e.js:1:1:6:0 | module object of module e |
 | es2015.js:1:1:50:0 | exports object of module es2015 |
diff --git a/javascript/ql/test/library-tests/Flow/abseval.expected b/javascript/ql/test/library-tests/Flow/abseval.expected
@@ -68,6 +68,8 @@
 | classAccessors.js:11:9:11:11 | myY | classAccessors.js:11:15:11:20 | this.y | file://:0:0:0:0 | indefinite value (heap) |
 | classAccessors.js:12:9:12:11 | myZ | classAccessors.js:12:15:12:20 | this.z | file://:0:0:0:0 | indefinite value (call) |
 | classAccessors.js:12:9:12:11 | myZ | classAccessors.js:12:15:12:20 | this.z | file://:0:0:0:0 | indefinite value (heap) |
+| destructuring.js:2:7:2:24 | { x, y = (z = x) } | destructuring.js:2:28:2:28 | o | file://:0:0:0:0 | indefinite value (call) |
+| destructuring.js:3:7:3:8 | z1 | destructuring.js:3:12:3:12 | z | file://:0:0:0:0 | indefinite value (heap) |
 | es2015.js:1:5:1:7 | Sup | es2015.js:1:11:6:1 | class { ... ;\\n  }\\n} | es2015.js:1:11:6:1 | class Sup |
 | es2015.js:4:9:4:12 | ctor | es2015.js:4:16:4:25 | new.target | file://:0:0:0:0 | indefinite value (call) |
 | es2015.js:19:7:19:11 | _args | es2015.js:19:15:19:18 | args | file://:0:0:0:0 | object |
diff --git a/javascript/ql/test/library-tests/Flow/destructuring.js b/javascript/ql/test/library-tests/Flow/destructuring.js
@@ -0,0 +1,4 @@
+function f(o) {
+  var { x, y = (z = x) } = o, z;
+  var z1 = z;
+}
diff --git a/javascript/ql/test/library-tests/Flow/types.expected b/javascript/ql/test/library-tests/Flow/types.expected
@@ -38,6 +38,8 @@
 | classAccessors.js:10:9:10:11 | myX | classAccessors.js:10:15:10:20 | this.x | boolean, class, date, function, null, number, object, regular expression,string or undefined |
 | classAccessors.js:11:9:11:11 | myY | classAccessors.js:11:15:11:20 | this.y | boolean, class, date, function, null, number, object, regular expression,string or undefined |
 | classAccessors.js:12:9:12:11 | myZ | classAccessors.js:12:15:12:20 | this.z | boolean, class, date, function, null, number, object, regular expression,string or undefined |
+| destructuring.js:2:7:2:24 | { x, y = (z = x) } | destructuring.js:2:28:2:28 | o | boolean, class, date, function, null, number, object, regular expression,string or undefined |
+| destructuring.js:3:7:3:8 | z1 | destructuring.js:3:12:3:12 | z | boolean, class, date, function, null, number, object, regular expression,string or undefined |
 | es2015.js:1:5:1:7 | Sup | es2015.js:1:11:6:1 | class { ... ;\\n  }\\n} | class |
 | es2015.js:4:9:4:12 | ctor | es2015.js:4:16:4:25 | new.target | boolean, class, date, function, null, number, object, regular expression,string or undefined |
 | es2015.js:19:7:19:11 | _args | es2015.js:19:15:19:18 | args | object |
