Skip to content

JavaScript: Teach Function.isGenerator to check for yield.#1110

Merged
semmle-qlci merged 1 commit intogithub:masterfrom
xiemaisi:js/yield-in-non-generator
Mar 14, 2019
Merged

JavaScript: Teach Function.isGenerator to check for yield.#1110
semmle-qlci merged 1 commit intogithub:masterfrom
xiemaisi:js/yield-in-non-generator

Conversation

@xiemaisi
Copy link

@xiemaisi xiemaisi commented Mar 14, 2019

We support yield in non-generator functions (a legacy Mozilla feature), which leads to false positives from some of our type-inference based queries as shown in the attached test: the type inference thinks inner returns undefined, and hence flags the property access on its result. In fact, inner is (implicitly) a generator, so it doesn't return undefined at all.

Fixed by extending Function::isGenerator to check for this case. While that's technically a breaking API change it can only affect custom queries for projects using legacy Mozilla features, of which there are none, as far as I know.

I've tested this on rhino, where it fixes 56 FPs at no performance cost.

@xiemaisi xiemaisi added the JS label Mar 14, 2019
@xiemaisi xiemaisi requested a review from a team as a code owner March 14, 2019 10:53
@semmle-qlci semmle-qlci merged commit 5d9d23e into github:master Mar 14, 2019
@xiemaisi xiemaisi deleted the js/yield-in-non-generator branch March 14, 2019 17:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@asger-semmle asger-semmle asger-semmle approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

JS

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@xiemaisi @asger-semmle @semmle-qlci

Comments