JavaScript: add flow steps through partial function application#162
JavaScript: add flow steps through partial function application#162semmle-qlci merged 5 commits intogithub:masterfrom
Conversation
ghost
self-assigned this
ghost
left a comment
ghost
left a comment
There was a problem hiding this comment.
Bold addition. How did the evaluation turn out?
I have a few comments and suggestions.
| override predicate isPartialArgument(DataFlow::Node callback, DataFlow::Node argument, int index) { | ||
| callback = getArgument(0) and | ||
| exists (DataFlow::ArrayLiteralNode array | | ||
| array = getArgument(1) and |
There was a problem hiding this comment.
Did you deliberately avoid array.flowsTo(getArgument(1))?
There was a problem hiding this comment.
Seems safe enough, I'll change it and give it a go.
| */ | ||
| predicate partiallyCalls(DataFlow::AdditionalPartialInvokeNode invk, DataFlow::Node callback, Function f) { | ||
| invk.isPartialArgument(callback, _, _) and | ||
| exists (AbstractFunction callee | callee = callback.analyze().getAValue() | |
There was a problem hiding this comment.
You can save the pseudo-cast by declaring callback with the type AnalyzedNode
| * | ||
| * This only holds for explicitly modeled partial calls. | ||
| */ | ||
| predicate partiallyCalls(DataFlow::AdditionalPartialInvokeNode invk, DataFlow::Node callback, Function f) { |
There was a problem hiding this comment.
The entire library is internal and privately imported anyway, but sure.
|
Evaluation on big-apps. No new results and a bit of a slow-down. I'll investigate the slow-downs while we wait for @max to get back. |
ghost
left a comment
ghost
left a comment
There was a problem hiding this comment.
LGTM, except for performance, I have approved and tagged with WIP.
xiemaisi
left a comment
xiemaisi
left a comment
There was a problem hiding this comment.
LGTM.
Optionally, I would support pulling out the logic for preventing cross-file global calls shared by calls and partiallyCalls into an auxiliary predicate (with an appropriate bindingset to enforce inlining if necessary).
Makes sense. I'll get that in after working out the perf differences. |
asger-semmle
force-pushed
the
partial-calls
branch
from
d919aa6 to
d38c8af
Compare
asger-semmle
force-pushed
the
partial-calls
branch
from
d38c8af to
f0886fd
Compare
| invk.isPartialArgument(callback, _, _) and | ||
| exists (AbstractFunction callee | callee = callback.getAValue() | | ||
| if invk.isIndefinite("global") then | ||
| if callback.getAValue().isIndefinite("global") then |
There was a problem hiding this comment.
Optionally, I would support pulling out the logic for preventing cross-file global calls shared by calls and partiallyCalls into an auxiliary predicate (with an appropriate bindingset to enforce inlining if necessary).
After this bugfix the two aren't easy to unify anymore. invk.isIndefinite relies on the cached predicate getACalleeValue which we can't use here. Rewriting it turned out to be very costly, so I'd rather leave it like this.
|
The slowdown was caused by I've run Xss on big-apps and performance now looks better. |
|
@max are you happy with the perf evaluation or should I start a larger run? |
|
No, I think that's fine. @esben-semmle, what's your take? |
Basic implementation of module resolution
Java/Kotlin: Support mixed-language tests
3 participants
Adds flow steps from the arguments of
Function.prototype.bindinto the parameters of the target function, and similar for_.partialand friends.For example:
Pending evaluation as we're a bit low on worker machines at the moment.