Skip to content

/ doctorjs

forked from evilpie/jsctags
Permalink
master
Switch branches/tags

doctorjs/lib/cfa2/jscfa.js /
Jump to
Code definitions

No definitions found in this file.

Code navigation not available for this commit

Go to file
  • Go to file
  • Copy path
  • Copy permalink
 
 
Cannot retrieve contributors at this time
4374 lines (3935 sloc) 137 KB
Raw Blame
/* ***** BEGIN LICENSE BLOCK *****
* Version: MPL 1.1/GPL 2.0/LGPL 2.1
*
* The contents of this file are subject to the Mozilla Public License Version
* 1.1 (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
* http://www.mozilla.org/MPL/
*
* Software distributed under the License is distributed on an 'AS IS' basis,
* WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
* for the specific language governing rights and limitations under the
* License.
*
* The Original Code is Bespin.
*
* The Initial Developer of the Original Code is
* Dimitris Vardoulakis <dimvar@gmail.com>
* Portions created by the Initial Developer are Copyright (C) 2010
* the Initial Developer. All Rights Reserved.
*
* Contributor(s):
* Dimitris Vardoulakis <dimvar@gmail.com>
* Patrick Walton <pcwalton@mozilla.com>
*
* Alternatively, the contents of this file may be used under the terms of
* either the GNU General Public License Version 2 or later (the "GPL"), or
* the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
* in which case the provisions of the GPL or the LGPL are applicable instead
* of those above. If you wish to allow use of your version of this file only
* under the terms of either the GPL or the LGPL, and not to allow others to
* use your version of this file under the terms of the MPL, indicate your
* decision by deleting the provisions above and replace them with the notice
* and other provisions required by the GPL or the LGPL. If you do not delete
* the provisions above, a recipient may use your version of this file under
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
/*
* Narcissus - JS implemented in JS.
*
* Control-flow analysis to infer types. The output is in ctags format.
*/
/* (Possible) TODOs:
* - now all objs are in heap. If it's too imprecise, treat them as heap vars.
* Create on stack & heap, and if heap changes when u need the obj then join.
* - representation of Aobj: in the common case, an abstract obj has one proto
* and one constructor. Specialize for this case.
*/
/*
* Semantics of: function foo (args) body:
* It's not the same as: var foo = function foo (args) body
* If it appears in a script then it's hoisted at the top, so it's in funDecls
* If it appears in a block then it's visible after it's appearance, in the
* whole rest of the script!!
* {foo(); {function foo() {print("foo");}}; foo();}
* The 1st call to foo throws, but if you remove it the 2nd call succeeds.
*/
/* (POSSIBLY) UNSOUND ASSUMPTIONS:
* - Won't iterate loops to fixpt.
* - Return undefined not tracked, eg (if sth return 12;) always returns number.
* - If the prototype property of a function object foo is accessed in a weird
* way, eg foo["proto" + "type"] the analysis won't figure it out.
* - when popping from an array, I do nothing. This is hard to make sound.
*/
////////////////////////////////////////////////////////////////////////////////
///////////////////////////// UTILITIES /////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////
if (!Array.prototype.forEach)
Array.prototype.forEach = function(fun) {
for (var i = 0, len = this.length; i < len; i++)
/* if (i in this) */ fun(this[i], i, this);
};
// search for an elm in the array that satisfies pred
Array.prototype.member = function(pred) {
for (var i = 0, len = this.length; i < len; i++)
/* if (i in this) */ if (pred(this[i])) return this[i];
return false;
};
Array.prototype.memq = function(sth) {
for (var i = 0, len = this.length; i < len; i++)
/* if (i in this) */ if (sth === this[i]) return this[i];
return false;
};
// starting at index, remove all elms that satisfy the pred in linear time.
Array.prototype.rmElmAfterIndex = function(pred, index) {
if (index >= this.length) return;
for (var i = index, j = index, len = this.length; i < len; i++)
if (!pred(this[i])) this[j++] = this[i];
this.length = j;
};
// remove all duplicates from array (keep first occurence of each elm)
// pred determines the equality of elms
Array.prototype.rmDups = function(pred) {
var i = 0, self = this;
while (i < (this.length - 1)) {
this.rmElmAfterIndex(function(elm) { return pred(elm, self[i]); }, i+1);
i++;
}
};
// compare two arrays for structural equality
function arrayeq(eq, a1, a2) {
var len = a1.length, i;
if (len !== a2.length) return false;
for (i=0; i<len; i++) if (!eq(a1[i], a2[i])) return false;
return true;
}
function buildArray(size, elm) {
var a = new Array(size);
for (var i=0; i<size; i++) a[i] = elm;
return a;
}
function buildString(size, elm) {
return buildArray(size, elm).join("");
}
// merge two sorted arrays of numbers into a sorted new array, remove dups!
function arraymerge(a1, a2) {
var i=0, j=0, len1 = a1.length, len2 = a2.length, a = new Array();
while (true) {
if (i === len1) {
for (; j < len2; j++) a.push(a2[j]);
return a;
}
if (j === len2) {
for (; i<len1; i++) a.push(a1[i]);
return a;
}
var diff = a1[i] - a2[j];
if (diff < 0)
a.push(a1[i++]);
else if (diff > 0)
a.push(a2[j++]);
else
i++;
}
}
const UNHANDLED_CONSTRUCT = 0;
const CFA_ERROR = 1;
// number, string -> Error
// returns an Error w/ a "code" property, so that DrJS can classify errors
function errorWithCode(code, msg) {
var e = new Error(msg);
e.code = code;
return e;
}
////////////////////////////////////////////////////////////////////////////////
//////////////////// PREPARE AST FOR FLOW ANALYSIS ///////////////////////
////////////////////////////////////////////////////////////////////////////////
var jsparse = require('../../narcissus/lib/parser');
var Node = jsparse.Node;
const DECLARED_FORM = jsparse.DECLARED_FORM;
const STATEMENT_FORM = jsparse.STATEMENT_FORM;
eval(require('../../narcissus/lib/definitions').consts);
var print = console.log;
var fs = require('fs');
function printf(fd, s) { fs.writeSync(fd, s, null, encoding='utf8'); }
// count is used to generate a unique ID for each node in the AST.
var count;
function newCount() { return ++count; }
// Use token_count to get fresh IDs for new non-terminals
var token_count = (require('../../narcissus/lib/definitions').tokens).length;
const DOT_PROTO = token_count++;
const ARGUMENTS = token_count++;
const PLUS_ASSIGN = token_count++;
// Instead of a flat long case dispatch, arities create a tree-like dispatch.
// Nodes are grouped in arities by how we recur down their structure.
const NULLARY = [NULL, THIS, TRUE, FALSE, IDENTIFIER, NUMBER, STRING, REGEXP];
const UNARY = [DELETE, VOID, TYPEOF, NOT, BITWISE_NOT, UNARY_PLUS, UNARY_MINUS,
NEW, INCREMENT, DECREMENT, DOT_PROTO, ARGUMENTS];
const BINARY = [BITWISE_OR, BITWISE_XOR, BITWISE_AND, EQ, NE, STRICT_EQ,
STRICT_NE, LT, LE, GE, GT, INSTANCEOF, LSH, RSH, URSH, PLUS,
MINUS, MUL, DIV, MOD, AND, OR, ASSIGN, INDEX, IN, DOT,
PLUS_ASSIGN];
const N_ARY = [COMMA, ARRAY_INIT];
// expr node -> stm node
function semiNode(n) {
var sn = new Node(n.tokenizer, {type:SEMICOLON});
sn.expression = n;
return sn;
}
// tokenizer, string -> identifier node
function idNode(t, name) {
var n = new Node(t, {type:IDENTIFIER});
n.name = n.value = name;
return n;
}
var astSize; // calculated for statistics
// node, optional string -> node
// Does some cleanup on the input expression node in-place.
// funName is used to name some anonymous funs using heuristics from the context
function fixExp(n, funName) {
var nt = n.type, ch = n.children;
astSize++;
function fixe(n, i, ch) { ch[i] = fixExp(n); }
if (NULLARY.memq(nt)) {
if (nt === IDENTIFIER) n.name = n.value;
else if (nt === STRING) n.value += "-";
}
else if (UNARY.memq(nt)) {
if (nt === UNARY_MINUS && ch[0].type === NUMBER) {
n.type = NUMBER;
n.value = -ch[0].value;
n.children = [];
return n;
}
if (nt === NEW) { // unify NEW and NEW_WITH_ARGS
n.type = NEW_WITH_ARGS;
ch.push(new Node(n.tokenizer, {type:LIST, children:[]}));
}
ch[0] = fixExp(ch[0]);
}
else if (BINARY.memq(nt)) {
if (nt === INDEX) {
ch.forEach(fixe);
if (ch[1].type === NUMBER) {
ch[1].type = STRING;
ch[1].value += "-";
}
return n;
}
else if (nt === DOT) {
var ch1 = ch[1];
// jsparse makes the 1st child of DOTs an ID b/c that's what is parsed.
// For an evaluator it makes more sense to make the 1st child a string,
// b/c functions that recur on DOTs won't try to look it up as a name.
ch1.type = STRING;
delete ch1.name;
// DOT_PROTO has no new semantic meaning, it's an optimization so that we
// dont check at every property access if the property name is "prototype"
if (ch1.value === "prototype") n.type = DOT_PROTO;
}
else if (nt === ASSIGN && ch[0].assignOp === PLUS)
n.type = PLUS_ASSIGN;
else if (nt === ASSIGN && !ch[0].assignOp) {
var n0 = ch[0];
ch[0] = fixExp(n0);
if (n0.type === IDENTIFIER)
funName = n0.name;
else if (n0.type === DOT) {
var fname = n0.children[1].value;
funName = fname.substring(0, fname.length - 1);
}
ch[1] = fixExp(ch[1], funName);
return n;
}
ch.forEach(fixe);
}
else if (nt === HOOK || N_ARY.memq(nt)) {
// Uncomment this if Narcissus produces empty COMMA nodes.
if (nt === COMMA && ch.length === 0)
ch.push(new Node(n.tokenizer, {type:TRUE}));
if (nt === ARRAY_INIT) {
ch.forEach(function(kid, i, ch) {
if (kid === null) ch[i] = idNode(n.tokenizer, "undefined");
});
}
ch.forEach(fixe);
}
else if (nt === CALL || nt === NEW_WITH_ARGS) {
ch[0] = fixExp(ch[0]);
ch[1].children.forEach(fixe);
}
else if (nt === FUNCTION) {
fixFun(n, funName);
}
else if (nt === OBJECT_INIT) {
ch.forEach(function(prop) {
if (prop.type === GETTER || prop.type === SETTER) {
// FIXME: for now, just don't crash on getters/setters
prop.children = [new Node(n.tokenizer,
{ type : STRING, value : prop.name + "-" }),
new Node(n.tokenizer, {type:TRUE})];
}
else {
var pch = prop.children, pch0 = pch[0], pname = pch0.value;
pch0.type = STRING;
delete pch0.name;
pch0.value += "-";
pch[1] = fixExp(pch[1], pname);
}
});
}
else if (nt === LET_BLOCK) {
n.varDecls.forEach(function(vd, i, vds) {
vd.name = vd.value;
vd.initializer && (vd.initializer = fixExp(vd.initializer, vd.value));
});
n.expression = fixExp(n.expression);
}
else if (nt === YIELD) { // FIXME: for now, just don't crash on yield
n.type = TRUE;
delete n.value
}
return n;
}
// node, optional string -> void
function fixFun(n, funName) {
var t = n.tokenizer;
// replace name w/ a property fname which is an IDENTIFIER node.
n.fname = idNode(t, n.name || funName);
delete n.name;
// turn the formals to nodes, I'll want to attach stuff to them later.
n.params.forEach(function(p, i, ps) { ps[i] = idNode(t, p); });
// don't tag builtin funs, they never have RETURN when used as constructors.
n.hasReturn = fixStm(n.body);
}
// Array of id nodes, tokenizer -> comma node
// Convert variable initializations (coming from VAR,CONST,LET) to assignments.
function initsToAssigns(inits, t) {
var n, vdecl, a, i, len, ch;
n = new Node(t, {type:COMMA});
ch = n.children;
for (i = 0, len = inits.length; i < len; i++) {
vdecl = inits[i];
if (vdecl.initializer) {
a = new Node(vdecl.tokenizer, {type:ASSIGN});
a.children = [idNode(vdecl.tokenizer, vdecl.name), vdecl.initializer];
ch.push(a);
}
}
// if no initialization values, push dummy node to avoid empty comma node.
ch.length || ch.push(new Node(t, {type:TRUE}));
return n;
}
// node, optional script node -> boolean
// returns true iff n contains RETURN directly (not RETURNs of inner functions).
function fixStm(n, parentScript) {
var i, j, n2, ans1, ans2, ch = n.children;
astSize++;
switch (n.type) {
case SCRIPT:
case BLOCK:
var ans1 = false, parscr = (n.type === SCRIPT) ? n : parentScript;
i=0;
while (i < ch.length) {
n2 = ch[i];
switch (n2.type) {
case VAR:
case CONST:
ch.splice(i++, 1,
semiNode(fixExp(initsToAssigns(n2.children, n2.tokenizer))));
break;
case SWITCH:
if (n2.cases.length === 0) {// switch w/out branches becomes semi node
n2.discriminant = fixExp(n2.discriminant);
ch[i] = semiNode(n2.discriminant);
}
else
ans1 = fixStm(n2, parscr) || ans1;
i++;
break;
case FUNCTION: //rm functions from Script bodies, they're in funDecls
fixFun(n2);
// To handle funs in blocks, unsoundly add them to funDecls
if (n2.functionForm === STATEMENT_FORM) parscr.funDecls.push(n2);
ch.splice(i, 1);
// The code below is for when we don't handle funs in blocks.
// if (n2.functionForm === DECLARED_FORM)
// ch.splice(i, 1);
// else
// ++i;
break;
case SEMICOLON: // remove empty SEMICOLON nodes
if (n2.expression == null) {
ch.splice(i, 1);
break;
} // o/w fall thru to fix the node
default:
ans1 = fixStm(n2, parscr) || ans1;
i++;
break;
}
}
return ans1;
case LET: // let definitions
n.children.forEach(function(vd) {
vd.name = vd.value;
vd.initializer && (vd.initializer = fixExp(vd.initializer));
});
return false;
case LET_BLOCK:
n.varDecls.forEach(function(vd) {
vd.name = vd.value;
vd.initializer && (vd.initializer = fixExp(vd.initializer));
});
if (n.expression) { // let-exp in stm context
n.expression = fixExp(n.expression);
n.block = semiNode(n.expression);
delete n.expression;
return false;
}
else // let-stm
return fixStm(n.block, parentScript);
case BREAK: case CONTINUE: case DEBUGGER:
n.type = BLOCK;
n.varDecls = [];
n.children = [];
return false;
case SEMICOLON:
if (!n.expression)
n.expression = new Node(n.tokenizer, {type:TRUE});
else
n.expression = fixExp(n.expression); //n.expression can't be null
return false;
case IF:
n.condition = fixExp(n.condition);
ans1 = fixStm(n.thenPart, parentScript);
return (n.elsePart && fixStm(n.elsePart, parentScript)) || ans1;
case SWITCH:
n.discriminant = fixExp(n.discriminant);
ans1 = false;
n.cases.forEach( function(branch) {
branch.caseLabel && (branch.caseLabel = fixExp(branch.caseLabel));
ans2 = fixStm(branch.statements, parentScript);
ans1 = ans1 || ans2;
});
return ans1;
case FOR:
n2 = n.setup;
if (n2) {
if (n2.type === VAR || n2.type === CONST)
n.setup = fixExp(initsToAssigns(n2.children, n2.tokenizer));
else
n.setup = fixExp(n2);
}
n.condition && (n.condition = fixExp(n.condition));
n.update && (n.update = fixExp(n.update));
return fixStm(n.body, parentScript);
case FOR_IN:
n.iterator = fixExp(n.iterator);
n.object = fixExp(n.object);
if (n.body.type !== BLOCK) {
var fibody = new Node(n.tokenizer, {type:BLOCK});
fibody.children = [n.body];
n.body = fibody;
}
return fixStm(n.body, parentScript);
case WHILE:
case DO:
n.condition = fixExp(n.condition);
return fixStm(n.body, parentScript);
case TRY: // turn the varName of each catch-clause to a node called exvar
ans1 = fixStm(n.tryBlock, parentScript);
n.catchClauses.forEach(function(clause) {
clause.exvar = idNode(clause.tokenizer, clause.varName);
clause.guard && (clause.guard = fixExp(clause.guard));
ans2 = fixStm(clause.block, parentScript);
ans1 = ans1 || ans2;
});
return (n.finallyBlock && fixStm(n.finallyBlock, parentScript)) || ans1;
case THROW:
n.exception = fixExp(n.exception);
return false;
case RETURN:
if (n.value === undefined)
n.value = idNode(n.tokenizer, "undefined");
else
n.value = fixExp(n.value);
return true;
case VAR: case CONST: // very rare to not appear in a block or script.
n.type = SEMICOLON;
n.expression = fixExp(initsToAssigns(n.children, n.tokenizer));
ch = [];
return false;
case FUNCTION:
n2 = new Node(n.tokenizer, {type:FUNCTION});
n2.name = n.name; delete n.name;
n2.params = n.params; delete n.params;
n2.functionForm = n.functionForm; delete n.functionForm;
n2.body = n.body; delete n.body;
fixFun(n2);
// To handle funs not in scripts, unsoundly add them to funDecls
parentScript.funDecls.push(n2);
n.type = SEMICOLON;
n.expression = new Node(n.tokenizer, {type:TRUE});
return false;
case WITH:
n.object = fixExp(n.object);
return fixStm(n.body, parentScript);
case LABEL: //replace LABEL nodes by their statement (forget labels)
n.type = BLOCK;
n.varDecls = [];
n.children = [n.statement];
delete n.statement;
return fixStm(n.children[0], parentScript);
default:
throw errorWithCode(UNHANDLED_CONSTRUCT,
"fixStm: " + n.type + ", line " + n.lineno);
}
}
// Invariants of the AST after fixStm:
// - no NEW nodes, they became NEW_WITH_ARGS
// - the formals of functions are nodes, not strings
// - functions have a property fname which is an IDENTIFIER node, name deleted
// - no VAR and CONST nodes, they've become semicolon comma nodes.
// - no BREAK and CONTINUE nodes.
// Unfortunately, this isn't independent of exceptions.
// If a finally-block breaks or continues, the exception isn't propagated.
// I will falsely propagate it (still sound, just more approximate).
// - no LABEL nodes
// - function nodes only in blocks, not in scripts
// - no empty SEMICOLON nodes
// - no switches w/out branches
// - each catch clause has a property exvar which is an IDENTIFIER node
// - all returns have .value (the ones that didn't, got an undefined)
// - the lhs of a property initializer of an OBJECT_INIT is always a string
// - the property names in DOT and OBJECT_INIT end with a dash.
// - there is no DOT whose 2nd arg is "prototype", they've become NODE_PROTOs.
// - the second kid of DOT is always a STRING, not an IDENTIFIER.
// - value of a NUMBER can be negative (UNARY_MINUS of constant became NUMBER).
// - the operator += has its own non-terminal, PLUS_ASSIGN.
// - each function node has a property hasReturn to show if it uses RETURN.
// - there is no INDEX whose 2nd arg has type NUMBER, they've become STRINGs.
// - The body of a LET_BLOCK in statement context is always a statement.
// - FUNCTIONs in BLOCKs are added to funDecls of enclosing SCRIPT.
// - Array literals don't have holes (null children) in them.
// - The body of FOR_IN is always a BLOCK.
function walkASTgenerator() {
var jt = new Array(token_count); // jump table
var o = {}; // dummy object for the calls to apply
function recur(n) { return jt[n.type].apply(o, arguments); }
function override(tt, fun) { jt[tt] = fun; }
function _nokids() {}
NULLARY.forEach(function(tt) { jt[tt] = _nokids; });
function _haskids() {
var args = arguments, ch = args[0].children;
ch.forEach(function(kid) {
args[0] = kid;
recur.apply(o, args);
});
}
[HOOK].concat(N_ARY, UNARY, BINARY).forEach(function(tt) {jt[tt]=_haskids;});
jt[CALL] = jt[NEW_WITH_ARGS] = function() {
var args = arguments, n = args[0], ch = n.children;
args[0] = ch[0];
recur.apply(o, args);
ch[1].children.forEach(function(kid) {
args[0] = kid;
recur.apply(o, args);
});
};
jt[OBJECT_INIT] = function() {
var args = arguments;
args[0].children.forEach(function(kid) {
var ch = kid.children;
args[0] = ch[0];
recur.apply(o, args);
args[0] = ch[1];
recur.apply(o, args);
});
};
jt[FUNCTION] = function() {
arguments[0] = arguments[0].body;
recur.apply(o, arguments);
};
jt[SCRIPT] = function() {
var args = arguments, n = args[0];
n.funDecls.forEach(function(fd) {
args[0] = fd;
recur.apply(o, args);
});
n.children.forEach(function(kid) {
args[0] = kid;
recur.apply(o, args);
});
};
jt[BLOCK] = function() {
var args = arguments;
args[0].children.forEach(function(kid) {
args[0] = kid;
recur.apply(o, args);
});
};
jt[SEMICOLON] = function() {
arguments[0] = arguments[0].expression;
recur.apply(o, arguments);
};
jt[IF] = function() {
var n = arguments[0];
arguments[0] = n.condition;
recur.apply(o, arguments);
arguments[0] = n.thenPart;
recur.apply(o, arguments);
if (n.elsePart) {
arguments[0] = n.elsePart;
recur.apply(o, arguments);
}
};
jt[SWITCH] = function() {
var args = arguments, n = args[0];
args[0] = n.discriminant;
recur.apply(o, args);
n.cases.forEach(function(branch) {
if (branch.caseLabel) {
args[0] = branch.caseLabel;
recur.apply(o, args);
}
args[0] = branch.statements;
recur.apply(o, args);
});
};
jt[FOR] = function() {
var n = arguments[0];
if (n.setup) {
arguments[0] = n.setup;
recur.apply(o, arguments);
}
if (n.condition) {
arguments[0] = n.condition;
recur.apply(o, arguments);
}
if (n.update) {
arguments[0] = n.update;
recur.apply(o, arguments);
}
arguments[0] = n.body;
recur.apply(o, arguments);
};
jt[FOR_IN] = function() {
var n = arguments[0];
arguments[0] = n.iterator;
recur.apply(o, arguments);
arguments[0] = n.object;
recur.apply(o, arguments);
arguments[0] = n.body;
recur.apply(o, arguments);
};
jt[WHILE] = jt[DO] = function() {
var n = arguments[0];
arguments[0] = n.condition;
recur.apply(o, arguments);
arguments[0] = n.body;
recur.apply(o, arguments);
};
jt[TRY] = function() {
var args = arguments, n = args[0];
args[0] = n.tryBlock;
recur.apply(o, args);
n.catchClauses.forEach(function(clause) {
if (clause.guard) {
args[0] = clause.guard;
recur.apply(o, args);
}
args[0] = clause.block;
recur.apply(o, args);
});
if (n.finallyBlock) {
args[0] = n.finallyBlock;
recur.apply(o, args);
}
};
jt[THROW] = function() {
arguments[0] = arguments[0].exception;
recur.apply(o, arguments);
};
jt[RETURN] = function() {
var n = arguments[0];
if (n.value) {
arguments[0] = n.value;
recur.apply(o, arguments);
}
};
jt[WITH] = function() {
var n = arguments[0];
arguments[0] = n.object;
recur.apply(o, arguments);
arguments[0] = n.body;
recur.apply(o, arguments);
};
jt[LET_BLOCK] = function() {
var args = arguments, n = args[0];
n.varDecls.forEach(function(vd) {
(args[0] = vd.initializer) && recur.apply(o, args);
});
(args[0] = n.expression) || (args[0] = n.block);
recur.apply(o, args);
};
jt[LET] = function() {
var args = arguments;
args[0].children.forEach(function(vd) {
(args[0] = vd.initializer) && recur.apply(o, args);
});
};
return { walkAST: recur, override: override};
}
// node -> void
// Adds an "addr" property to nodes, which is a number unique for each node.
var labelAST, labelAST_override;
(function() {
var walkerobj = walkASTgenerator(), override = walkerobj.override;
labelAST = walkerobj.walkAST;
labelAST_override = override;
override(ARRAY_INIT, function(n) {
n.addr = newCount();
n.children.forEach(labelAST);
});
override(NEW_WITH_ARGS, function(n) {
n.addr = newCount();
labelAST(n.children[0]);
n.children[1].children.forEach(labelAST);
});
override(REGEXP, function(n) { n.addr = newCount(); });
override(OBJECT_INIT, function(n) {
n.addr = newCount();
n.children.forEach(function(prop) {
labelAST(prop.children[0]);
labelAST(prop.children[1]);
});
});
override(TRY, function(n) {
labelAST(n.tryBlock);
n.catchClauses.forEach(function(c) {
c.exvar.addr = newCount();
c.guard && labelAST(c.guard);
labelAST(c.block);
});
n.finallyBlock && labelAST(n.finallyBlock);
});
override(SCRIPT, function(n) {
n.varDecls.forEach(function(vd) {vd.addr = newCount();});
n.funDecls.forEach(labelAST);
n.children.forEach(labelAST);
});
override(FUNCTION, function _function(n) {
n.addr = newCount();
n.defaultProtoAddr = newCount();
n.fname.addr = newCount();
n.params.forEach(function(p) { p.addr = newCount(); });
labelAST(n.body);
});
})();
// Node, number, Array of id nodes -> void
// WITH node, address of the fresh variable, bound variables
// After desugarWith is executed, there are no WITHs in the AST.
var desugarWith;
// FIXME: the desugaring handles nested WITHs incorrectly.
(function () {
var walkerobj = walkASTgenerator(), override = walkerobj.override;
desugarWith = walkerobj.walkAST;
function withIdNode(t, addr) {
var n = idNode(t, "internalVar: with");
n.addr = addr;
return n;
}
override(SCRIPT, function(n, withAddr, boundvars) {
n.funDecls.forEach(function(fd) { desugarWith(fd, withAddr, boundvars); });
var blen = boundvars.length;
Array.prototype.push.apply(boundvars, n.varDecls);
n.children.forEach(function(stm) {
desugarWith(stm, withAddr, boundvars, n.varDecls);
});
boundvars.splice(blen, boundvars.length);
});
override(FUNCTION, function(n, withAddr, boundvars) {
var blen = boundvars.length;
Array.prototype.push.apply(boundvars, n.params);
desugarWith(n.body, withAddr, boundvars);
boundvars.splice(blen, boundvars.length);
});
// Turn to a block with two statements.
// The 4th argument is the varDecls of the innermost enclosing SCRIPT, so that
// the fresh variable of the WITH can be added there.
override(WITH, function(n, withAddr, boundvars, vardecls) {
var newaddr = newCount(), t = n.tokenizer;
var freshvar = withIdNode(t, newaddr), assgn;
vardecls.push(freshvar);
assgn = new Node(t, {type:ASSIGN});
assgn.children = [freshvar, n.object];
desugarWith(n.body, newaddr, [], vardecls);
n.type = BLOCK;
n.varDecls = [];
n.children = [semiNode(assgn), n.body];
delete n.object;
delete n.body;
});
// Add the CATCH variable to the bound variables
override(TRY, function(n, withAddr, boundvars, vardecls) {
desugarWith(n.tryBlock, withAddr, boundvars, vardecls);
n.catchClauses.forEach(function(clause) {
boundvars.push(clause.exvar);
clause.guard && desugarWith(clause.guard, withAddr, boundvars);
desugarWith(clause.block, withAddr, boundvars, vardecls);
boundvars.pop();
});
n.finallyBlock && desugarWith(n.finallyBlock,withAddr,boundvars,vardecls);
});
// May change n to an IF node
override(FOR_IN, function(n, withAddr, boundvars, vardecls) {
var it = n.iterator, it, obj = n.object, b = n.body;
if (it.type === IDENTIFIER)
// (Temporary) Copy to avoid sharing introduced by desugaring.
n.iterator = it = idNode(it.tokenizer, it.value);
desugarWith(obj, withAddr, boundvars);
desugarWith(b, withAddr, boundvars, vardecls);
if (it.type !== IDENTIFIER) {
desugarWith(it, withAddr, boundvars);
return;
}
if (_makeHook(n, it, withAddr, boundvars)) {
var t = n.tokenizer, ch = n.children;
n.type = IF;
n.children = [];
n.condition = ch[0];
var forinn = new Node(t, {type:FOR_IN});
forinn.iterator = ch[1];
forinn.object = obj;
forinn.body = b;
n.thenPart = forinn;
forinn = new Node(t, {type:FOR_IN});
forinn.iterator = ch[2];
forinn.object = obj;
// The body b must be cloned o/w markConts will overwrite the conts of the
// true branch when it processes the false branch.
forinn.body = b;
n.elsePart = forinn;
}
});
// Change the 1st arg to a HOOK node.
// n may be an ID node, but it doesn't appear in varDecls b/c it's an rvalue,
// it doesn't come from a VAR, so it can be mutated safely.
// Returns true iff it edits the node.
function _makeHook(n, idn, withAddr, boundvars) {
var t = idn.tokenizer, name = idn.name;
if (!withAddr) return;
if (boundvars.member(function(bv) { return bv.name === name; })) return;
var inn = new Node(t, {type : IN});
inn.children = [new Node(t, {type : STRING, value : name + "-"}),
withIdNode(t, withAddr)];
var dotn = new Node(t, {type: DOT});
dotn.children = [withIdNode(t, withAddr),
new Node(t, {type:STRING, value : name + "-"})];
n.type = HOOK;
n.children = [inn, dotn, idNode(t, name)];
return true;
}
override(IDENTIFIER, function(n, withAddr, boundvars) {
_makeHook(n, n, withAddr, boundvars);
});
// May change n to a HOOK node
function _assign(n, withAddr, boundvars) {
var t = n.tokenizer, type = n.type, lval = n.children[0],
aop = lval.assignOp, rval = n.children[1];
desugarWith(rval, withAddr, boundvars);
if (lval.type !== IDENTIFIER) {
desugarWith(lval, withAddr, boundvars);
return;
}
if (_makeHook(n, lval, withAddr, boundvars)) {
var branch = n.children[1], assgn = new Node(t, {type:type});
branch.assignOp = aop;
assgn.children = [branch, rval];
n.children[1] = assgn;
branch = n.children[2], assgn = new Node(t, {type:type});
branch.assignOp = aop;
assgn.children = [branch, rval];
n.children[2] = assgn;
}
}
override(ASSIGN, _assign);
override(PLUS_ASSIGN, _assign);
})();
// Node, Map from strings to id nodes, Array of id nodes -> void
// Rename variables according to the input substitution map
var subst;
(function () {
var walkerobj = walkASTgenerator(), override = walkerobj.override;
subst = walkerobj.walkAST;
// The only substitution happens here. All other cases are binders, so they
// update boundvars to prevent erroneous substitutions.
override(IDENTIFIER, function(n, smap, boundvars) {
var vname = n.value;
if (boundvars.member(function(bv) { return bv.value === vname; })) return;
var newvar = smap[vname];
if (newvar) {
n.name = n.value = newvar.value;
n.addr = newvar.addr;
}
});
override(FUNCTION, function(n, smap, boundvars) {
var blen = boundvars.length;
boundvars.push(n.fname);
Array.prototype.push.apply(boundvars, n.params);
subst(n.body, smap, boundvars);
boundvars.splice(blen, boundvars.length);
});
function _block(vds, fds, stms, smap, boundvars) {
var blen = boundvars.length;
Array.prototype.push.apply(boundvars, vds);
if (fds) {
fds.forEach(function(fd) { boundvars.push(fd.fname); });
fds.forEach(function(fd) { subst(fd, smap, boundvars); });
}
stms.forEach(function(stm) { subst(stm, smap, boundvars); });
boundvars.splice(blen, boundvars.length);
}
override(SCRIPT, function(n, smap, boundvars) {
_block(n.varDecls, n.funDecls, n.children, smap, boundvars);
});
override(BLOCK, function(n, smap, boundvars) {
_block(n.varDecls, undefined, n.children, smap, boundvars);
});
override(FOR, function(n, smap, boundvars) {
var blen = boundvars.length;
n.varDecls && Array.prototype.push.apply(boundvars, n.varDecls);
n.setup && subst(n.setup, smap, boundvars);
n.condition && subst(n.condition, smap, boundvars);
n.update && subst(n.update, smap, boundvars);
subst(n.body, smap, boundvars);
boundvars.splice(blen, boundvars.length);
});
override(LET_BLOCK, function(n, smap, boundvars) {
var vds = n.varDecls, stms;
if (n.expression)
stms = [semiNode(n.expression)];
else {
vds.concat(n.block.varDecls);
stms = n.block.children;
}
_block(vds, undefined, stms, smap, boundvars);
});
override(TRY, function(n, smap, boundvars) {
subst(n.tryBlock, smap, boundvars);
n.catchClauses.forEach(function(clause) {
boundvars.push(clause.exvar);
clause.guard && subst(clause.guard, smap, boundvars);
subst(clause.block, smap, boundvars);
boundvars.pop();
});
n.finallyBlock && subst(n.finallyBlock, smap, boundvars);
});
})();
// Must happen after desugaring of WITH, o/w when I create fresh vars for LETs,
// I may subst erroneously in the body of a WITH.
// After desugarLet is executed, there are no LETs or LET_BLOCKs in the AST.
var desugarLet;
(function () {
var walkerobj = walkASTgenerator(), override = walkerobj.override;
desugarLet = walkerobj.walkAST;
// Array of id nodes, Array of id nodes, tokenizer ->
// { smap : Substitution map, comman : comma node }
function letInitsToAssigns(vds, scriptVds, t) {
var smap = {}, newaddr, freshvar, comman;
for (var i = 0, len = vds.length; i < len; i++) {
newaddr = newCount();
// New vars must have different names for tagVarRefs to work.
freshvar = idNode(t, "internalVar: let" + newaddr);
freshvar.addr = newaddr;
smap[vds[i].value] = freshvar;
scriptVds.push(freshvar);
}
comman = initsToAssigns(vds, t);
subst(comman, smap, []);
desugarLet(comman, scriptVds);
return {smap : smap, comman : comman};
}
override(LET_BLOCK, function(n, scriptVds) {
var tmp = letInitsToAssigns(n.varDecls, scriptVds, n.tokenizer),
smap = tmp.smap,
comman = tmp.comman;
delete n.variables;
var body;
if (body = n.expression) {
subst(body, smap, []);
desugarLet(body, scriptVds);
n.type = COMMA;
n.children = comman.children;
n.children.push(body);
delete n.expression;
}
else if (body = n.block) {
subst(body, smap, []);
desugarLet(body, scriptVds, body);
n.type = BLOCK;
n.children = body.children;
n.children.unshift(semiNode(comman));
delete n.block;
n.varDecls = [];
}
});
override(BLOCK, function(n, scriptVds) {
n.children.forEach(function(stm) { desugarLet(stm, scriptVds, n); });
});
override(FOR, function(n, scriptVds) {
n.setup && desugarLet(n.setup, scriptVds, n); // LET can appear in setup
n.condition && desugarLet(n.condition, scriptVds);
n.update && desugarLet(n.update, scriptVds);
desugarLet(n.body, scriptVds);
});
// LET definitions can appear in SCRIPTs or BLOCKs
override(LET, function(n, scriptVds, innerBlock) {
var tmp = letInitsToAssigns(n.children, scriptVds, n.tokenizer),
smap = tmp.smap,
comman = tmp.comman;
// Call subst on the sub-nodes of innerBlock directly, to avoid binding vars
// that must be substituted.
if (innerBlock.type === FOR) {
subst(innerBlock.setup, smap, []);
innerBlock.condition && subst(innerBlock.condition, smap, []);
innerBlock.update && subst(innerBlock.update, smap, []);
subst(innerBlock.body, smap, []);
n.type = COMMA;
n.children = comman.children;
}
else {
innerBlock.children.forEach(function(stm) { subst(stm, smap, []); });
n.type = SEMICOLON;
n.expression = comman;
delete n.children;
}
});
override(SCRIPT, function(n) {
var vds = n.varDecls;
n.funDecls.forEach(desugarLet);
n.children.forEach(function(stm) { desugarLet(stm, vds, n); });
});
})();
const STACK = 0, HEAP = 1;
// helper function for the IDENTIFIER case of tagVarRefs
function tagVarRefsId(classifyEvents) {
return function(n, innerscope, otherscopes) {
var boundvar, varname = n.name;
// search var in innermost scope
for (var i = innerscope.length - 1; i >= 0; i--) {
boundvar = innerscope[i];
if (boundvar.name === varname) {
//print("stack ref: " + varname);
n.kind = STACK;
// if boundvar is a heap var and some of its heap refs get mutated,
// we may need to update bindings in frames during the cfa.
n.addr = boundvar.addr;
return;
}
}
// search var in other scopes
for (var i = otherscopes.length - 1; i >= 0; i--) {
boundvar = otherscopes[i];
if (boundvar.name === varname) {
// print("heap ref: " + varname);
n.kind = boundvar.kind = HEAP;
n.addr = boundvar.addr;
flags[boundvar.addr] = true;
return;
}
}
// var has no binder in the program
if (commonJSmode && varname === "exports") {
n.kind = HEAP;
n.addr = exports_object_av_addr;
var p = arguments[3]; // exported property name passed as extra arg
if (p && p.type === STRING)
exports_object.lines[p.value.slice(0, -1)] = p.lineno;
return;
}
//print("global: " + varname + " :: " + n.lineno);
n.type = DOT;
var nthis = idNode({lineno: n.lineno}, "internalVar: global object");
nthis.kind = HEAP;
if (classifyEvents && varname === "addEventListener")
nthis.addr = chrome_obj_av_addr;
else
nthis.addr = global_object_av_addr;
n.children = [nthis, new Node({}, {type:STRING, value:n.name + "-"})];
};
}
// node, array of id nodes, array of id nodes -> void
// Classify variable references as either stack or heap references.
var tagVarRefs, tagVarRefs_override;
(function() {
var walkerobj = walkASTgenerator(), override = walkerobj.override;
tagVarRefs = walkerobj.walkAST;
tagVarRefs_override = override;
override(DOT, function(n, innerscope, otherscopes) {
var ch = n.children;
var n0 = ch[0];
// don't classify property names
if (commonJSmode && n0.type === IDENTIFIER && n0.name === "exports")
tagVarRefs(n0, innerscope, otherscopes, ch[1]);
else
tagVarRefs(n0, innerscope, otherscopes);
});
override(INDEX, function(n, innerscope, otherscopes) {
var ch = n.children, n0 = ch[0], shadowed = false;
// use new non-terminal only if "arguments" refers to the arguments array
if (n0.type === IDENTIFIER && n0.name === "arguments") {
for (var i = innerscope.length - 1; i >= 0; i--)
if (innerscope[i].name === "arguments") {
shadowed = true;
break;
}
if (!shadowed) {
n.type = ARGUMENTS;
n.arguments = innerscope; //hack: innerscope is params (maybe extended)
ch[0] = ch[1];
ch.splice(1, 1);
// undo the changes made for INDEX nodes only in fixExp
if (ch[0].type === STRING && propIsNumeric(ch[0].value)) {
ch[0].type = NUMBER;
ch[0].value = ch[0].value.slice(0, -1) - 0;
}
}
}
ch.forEach(function(kid) { tagVarRefs(kid, innerscope, otherscopes); });
});
override(IDENTIFIER, tagVarRefsId(false));
override(FUNCTION, function(n, innerscope, otherscopes) {
var fn = n.fname, len, params = n.params;
len = otherscopes.length;
// extend otherscopes
Array.prototype.push.apply(otherscopes, innerscope);
// fun name is visible in the body & not a heap ref, add it to scope
params.push(fn);
tagVarRefs(n.body, params, otherscopes);
params.pop();
if (fn.kind !== HEAP) fn.kind = STACK;
params.forEach(function(p) {if (p.kind !== HEAP) p.kind=STACK;});
// trim otherscopes
otherscopes.splice(len, innerscope.length);
});
override(SCRIPT, function(n, innerscope, otherscopes) {
var i, j, len, vdecl, vdecls = n.varDecls, fdecl, fdecls = n.funDecls;
// extend inner scope
j = innerscope.length;
Array.prototype.push.apply(innerscope, vdecls);
fdecls.forEach(function(fd) { innerscope.push(fd.fname); });
// tag refs in fun decls
fdecls.forEach(function(fd) { tagVarRefs(fd, innerscope, otherscopes); });
// tag the var refs in the body
var as = arguments;
n.children.forEach(function(stm) {tagVarRefs(stm,innerscope,otherscopes);});
// tag formals
vdecls.forEach(function(vd) {
// for toplevel vars, assigning flags causes the Aval`s to be recorded
// in the heap. After the analysis, we use that for ctags.
if (as[3] === "toplevel") flags[vd.addr] = true;
if (vd.kind !== HEAP) vd.kind = STACK;
});
fdecls.forEach(function(fd) { if (fd.kind !== HEAP) fd.kind = STACK; });
//trim inner scope
innerscope.splice(j, vdecls.length + fdecls.length);
});
override(TRY, function(n, innerscope, otherscopes) {
tagVarRefs(n.tryBlock, innerscope, otherscopes);
n.catchClauses.forEach(function(clause) {
var xv = clause.exvar;
innerscope.push(xv);
clause.guard &&
tagVarRefs(clause.guard, innerscope, otherscopes);
tagVarRefs(clause.block, innerscope, otherscopes);
innerscope.pop();
if (xv.kind !== HEAP) xv.kind = STACK;
});
n.finallyBlock && tagVarRefs(n.finallyBlock, innerscope, otherscopes);
});
})();
// node, node, node -> void
// For every node N in the AST, add refs from N to the node that is normally
// exec'd after N and to the node that is exec'd if N throws an exception.
var markConts;
(function() {
var walkerobj = walkASTgenerator(), override = walkerobj.override;
markConts = walkerobj.walkAST;
function _fun(n) { markConts(n.body, undefined, undefined); }
override(FUNCTION, _fun);
function _block(n, kreg, kexc) {
var ch = n.children, i, len;
n.kexc = kexc;
len = ch.length;
if (len === 0)
n.kreg = kreg;
else {
n.kreg = ch[0];
len--;
for (i=0; i < len; i++) markConts(ch[i], ch[i+1], kexc);
markConts(ch[len], kreg, kexc);
}
}
override(BLOCK, _block);
override(SCRIPT, function(n, kreg, kexc) {
n.funDecls.forEach(_fun);
_block(n, kreg, kexc);
});
override(SEMICOLON, function(n, kreg, kexc) {
n.kreg = kreg;
n.kexc = kexc;
markConts(n.expression);
});
// normally, return & throw don't use their kreg. But this analysis allows
// more permissive control flow, to be faster.
override(THROW, function(n, kreg, kexc) {
n.kreg = kreg;
n.kexc = kexc;
markConts(n.exception);
});
override(RETURN, function(n, kreg, kexc) {
n.kreg = kreg;
n.kexc = kexc;
markConts(n.value);
});
override(IF, function(n, kreg, kexc) {
var thenp = n.thenPart, elsep = n.elsePart, condStm;
condStm = semiNode(n.condition);
n.kreg = condStm; // first run the test
n.kexc = kexc;
markConts(condStm, thenp, kexc); // ignore result & run the true branch
markConts(thenp, elsep || kreg, kexc); // then run the false branch
elsep && markConts(elsep, kreg, kexc);
});
function markContsCase(n, kreg, kexc) {
var clabel = n.caseLabel, clabelStm, stms = n.statements;
n.kexc = kexc;
if (clabel) {
clabelStm = semiNode(clabel);
n.kreg = clabelStm;
markConts(clabelStm, stms, kexc);
}
else n.kreg = stms;
markConts(stms, kreg, kexc);
}
override(SWITCH, function(n, kreg, kexc) {
var cases = n.cases, discStm, i, len;
discStm = semiNode(n.discriminant);
n.kreg = discStm; // first run the discriminant, then all branches in order
n.kexc = kexc;
markConts(discStm, cases[0], kexc);
for (i = 0, len = cases.length - 1; i < len; i++) //no empty switch, len >=0
markContsCase(cases[i], cases[i+1], kexc);
markContsCase(cases[len], kreg, kexc);
});
override(FOR, function(n, kreg, kexc) {
var body = n.body;
n.kexc = kexc;
// Do setup, condition, body & update once.
var setup = n.setup, setupStm, condition = n.condition, condStm;
var update = n.update, updStm;
n.kexc = kexc;
if (!setup && !condition)
n.kreg = body;
else if (setup && !condition) {
setupStm = semiNode(setup);
n.kreg = setupStm;
markConts(setupStm, body, kexc);
}
else {// condition exists
condStm = semiNode(condition);
markConts(condStm, body, kexc);
if (setup) {
setupStm = semiNode(setup);
n.kreg = setupStm;
markConts(setupStm, condStm, kexc);
}
else n.kreg = condStm;
}
if (update) {
updStm = semiNode(update);
markConts(body, updStm, kexc);
markConts(updStm, kreg, kexc);
}
else markConts(body, kreg, kexc);
});
override(FOR_IN, function(n, kreg, kexc) {
var body = n.body;
n.kexc = kexc;
n.kreg = body;
markConts(body, kreg, kexc);
});
override(WHILE, function(n, kreg, kexc) {
var condStm = semiNode(n.condition), body = n.body;
n.kreg = condStm;
n.kexc = kexc;
markConts(condStm, body, kexc);
markConts(body, kreg, kexc);
});
override(DO, function(n, kreg, kexc) {
var condStm = semiNode(n.condition), body = n.body;
n.kreg = body;
n.kexc = kexc;
markConts(body, condStm, kexc);
markConts(condStm, kreg, kexc);
});
function markContsCatch(n, knocatch, kreg, kexc) {
var guard = n.guard, guardStm, block = n.block;
if (guard) {// Mozilla catch
// The guard is of the form (var if expr).
// If expr is truthy, the catch body is run w/ var bound to the exception.
// If expr is falsy, we go to the next block (another catch or finally).
// If the guard or the body throw, the next catches (if any) can't handle
// the exception, we go to the finally block (if any) directly.
markConts(guard);
guardStm = semiNode(guard);
n.kreg = guardStm;
guardStm.kcatch = block; // this catch handles the exception
guardStm.knocatch = knocatch; // this catch doesn't handle the exception
guardStm.kexc = kexc; // the guard throws a new exception
}
markConts(block, kreg, kexc);
}
override(TRY, function(n, kreg, kexc) {
var fin = n.finallyBlock, clause, clauses=n.catchClauses, knocatch, i, len;
// process back-to-front to avoid if-madness
if (fin) {
markConts(fin, kreg, kexc);
knocatch = kexc = kreg = fin; // TRY & CATCHes go to fin no matter what
}
for (len = clauses.length, i = len-1; i>=0; i--) {
clause = clauses[i];
markContsCatch(clause, knocatch, kreg, kexc);
knocatch = clause;
}
markConts(n.tryBlock, kreg, knocatch || kexc);
n.kreg = n.tryBlock;
});
})();
////////////////////////////////////////////////////////////////////////////////
//////////////////////////// CFA2 code /////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////
// abstract objects and abstract values are different!!!
var heap;
// modified[addr] is a timestamp that shows the last time heap[addr] was updated
var modified;
var timestamp;
// If i is the addr of a var, flags[i] is true if the var is a heap var.
var flags;
var exports_object;
var exports_object_av_addr;
var commonJSmode;
var timedout = false, timeout = 120; // stop after 2 minutes if you're not done
// A summary contains a function node (fn), an array of abstract values (args),
// a timestamp (ts) and abstract values (res) and (err). It means: when we call
// fn w/ args and the heap's timestamp is ts, the result is res and if fn can
// throw an exception, the value thrown is err.
// summaries: a map from addresses of fun nodes to triples {ts, insouts, type},
// where ts is a timestamp, insouts is an array of args-result pairs,
// and type is the join of all args-result pairs.
var summaries;
// pending contains info that exists in the runtime stack. For each pending call
// to evalFun, pending contains an object {args, ts} where args is the arguments
// of the call and ts is the timestamp at the time of the call.
var pending;
// core JS functions also use pending but differently.
// when initGlobals is called, count has its final value (core objs are in heap)
// FIXME, I'm violating the invariant in "function cfa2". Change it?
function initGlobals() {
big_ts = 1000; // used only when debugging
timestamp = 0;
heap = new Array(count); // reserve heap space, don't grow it gradually
modified = buildArray(count, timestamp);
summaries = {}; // We use {} instead of an Array b/c it's sparse.
pending = {};
flags = {};
exports_object = {lines : {}};
}
// string -> void
// works only in NodeJS
function dumpHeap(filename) {
var fd = fs.openSync(filename, "w", mode=0777);
for (var i = 0, l = heap.length; i < l; i++)
printf(fd, "[" + i + "]\n" + (heap[i] ? heap[i].toString(2) : "") + "\n");
fs.closeSync(fd);
}
// non-empty array of strings -> void
function normalizeUnionType(types) {
// any is a supertype of all types
if (types.memq("any")) {
types[0] = "any";
types.length = 1;
}
else
types.rmDups(function(e1, e2) {return e1 === e2;});
}
// Constructor for abstract properties
// Takes an object w/ the property's attributes
// Don't call from outside the abstract-values module, use addProp instead.
function Aprop(attribs){
this.aval = attribs.aval;
// writable, enumerable and configurable default to true
this.write = ("write" in attribs) ? attribs.write : true;
this.enum = ("enum" in attribs) ? attribs.enum : true;
this.config = ("config" in attribs) ? attribs.config : true;
}
// optional number -> string
Aprop.prototype.toString = function(indent) {
return this.aval.toString(indent);
};
// An abstract object o1 is represented as a JS object o2.
// A property of o1 named p has the name p- in o2.
// A special property p of o1 has the name -p in o2.
// Special properties: -number, -string, -proto, -fun, -addr
// -addr: the address of o1 in the heap
// -proto: the address of o1's prototype in the heap
// -fun: may point to a function node
// -number: may contain an Aval (join of properties w/ "numeric" names)
// -string: may contain an Aval (join of all properties)
function Aobj(specialProps) {
for (var p in specialProps) this["-" + p] = specialProps[p];
heap[specialProps.addr] = this; // put new object in heap
}
Aobj.prototype = new Array();
// Takes an optional array for cycle detection.
Aobj.prototype.toType = function(seenObjs) {
var self = this;
if (seenObjs) {
if (seenObjs.memq(self))
return "any";
else
seenObjs.push(self);
}
else
seenObjs = [self];
if (this["-fun"]) return funToType(this["-fun"], seenObjs);
var c = this.getProp("constructor-");
var types = [];
if (c === undefined) return "Global Object";
c.forEachObj(function(o) {if (o["-fun"]) types.push(o["-fun"].fname.name);});
if (types.length === 0)
throw errorWithCode(CFA_ERROR, "Didn't find a name for constructor");
normalizeUnionType(types);
if (types.length === 1) {
if (types[0] === "Array") return this.toArrayType(seenObjs);
return types[0];
}
return ("<" + types.join(" | ") + ">");
};
// void -> boolean
Aobj.prototype.isArray = function() {
var c = this.getProp("constructor-"), cobj;
if (c === undefined) return false;
if (c.objs.length !== 1) return false;
cobj = heap[c.objs[0]];
return cobj["-fun"] && cobj["-fun"].fname.name === "Array";
}
// For homogeneous arrays, include the type of their elms.
// Takes an optional array for cycle detection.
Aobj.prototype.toArrayType = function(seenObjs) {
var elmtype = BOTTOM, self = this;
this.forEachOwnProp(function(p) {
if (propIsNumeric(p)) elmtype = avjoin(elmtype, self.getOwnExactProp(p));
});
elmtype = elmtype.toType(seenObjs);
if (/\|/.test(elmtype) || elmtype === "any")
return "Array";
else
return "Array[" + elmtype + "]";
};
// void -> function node
Aobj.prototype.getFun = function() { return this["-fun"]; };
// Aval -> void
Aobj.prototype.updateProto = function(av) {
if (this["-proto"]) {
if (!avlt(av, this["-proto"])) {
this["-proto"] = avjoin(this["-proto"], av);
//print("++ts: 1");
++timestamp;
}
return;
}
this["-proto"] = av;
//print("++ts: 2");
++timestamp;
};
// string -> boolean
function propIsNumeric(p) {
return p === "-number" || (/-$/.test(p) && !isNaN(p.slice(0, -1)));
}
// act: Aobj, optional Array[string] -> {val : A, stop : boolean}
// combine: Array[A] -> A
function foldProtoChain(o, act, combine) {
function recur(o, seenObjs, seenProps) {
var v = act(o, seenProps), val = v.val;
if (v.stop) return val; // stop going up the chain
if (!o["-proto"]) return val; // reached the end of the prototype chain
if (seenObjs.memq(o))
return val;
else
seenObjs.push(o);
var a = [], solen = seenObjs.length, splen = seenProps.length;
o["-proto"].forEachObj(function(proto) {
a.push(recur(proto, seenObjs, seenProps));
seenObjs.splice(solen, seenObjs.length);
seenProps.splice(splen, seenProps.length);
});
a.push(val); // The current level's result is last, 'combine' pops to get it
return combine(a);
}
return recur(o, [], []);
}
// string -> Aval or undefined
// doesn't look in prototype chain
Aobj.prototype.getOwnExactProp = function(pname) {
return this[pname] && this[pname].aval;
};
// string -> Aval or undefined
// doesn't look in prototype chain
// pname is not "-number" or "-string"
Aobj.prototype.getOwnProp = function(pname) {
if (this.hasOwnProperty(pname))
return this[pname].aval;
if (this.numPropsMerged && propIsNumeric(pname))
return this["-number"].aval;
if (this.strPropsMerged)
return this["-string"].aval;
};
// string -> Aval or undefined
// May include "-number" and "-string" in its result
Aobj.prototype.getProp = function(pname) {
return getProp(this, pname, true);
};
// Aobj, string, boolean -> Aval or undefined
// pname is not "-number" or "-string"
// Looks in prototype chain. Returns undefined iff the property doesn't exist in
// *all* paths up the prototype chain o/w it returns an Aval.
// function getProp(o, pname, lax) {
// function act(o) {
// if (o.hasOwnProperty(pname))
// return {val : o[pname].aval, stop : true};
// if (lax && o.numPropsMerged) {
// if (propIsNumeric(pname))
// return {val : o["-number"].aval, stop : true};
// if (o.strPropsMerged)
// return {val : o["-string"].aval, stop : false};
// }
// return { stop : false };
// }
// function combine(avs) {
// var notfoundinsomechain = false, val = avs.pop();
// avs.forEach(function(av) {
// if (!av)
// notfoundinsomechain = true;
// else
// val = maybeavjoin(val, av);
// });
// return val && (notfoundinsomechain ? avjoin(AUNDEF, val) : val);
// }
// return foldProtoChain(o, act, combine);
// }
function getProp(o, pname, lax) {
var levels = 0, av;
while (o !== undefined && levels <= 2) {
if (o.hasOwnProperty(pname))
return o[pname].aval;
if (lax && o.numPropsMerged) {
if (propIsNumeric(pname))
return o["-number"].aval;
if (o.strPropsMerged)
av = maybeavjoin(av, o["-string"].aval);
}
levels++;
o = o["-proto"] && heap[o["-proto"].objs[0]];
}
return av;
}
Aobj.prototype.getNumProps = function() {
this.mergeNumProps();
return this["-number"].aval;
};
// Aobj.prototype.getStrProps = function() {
// function act(o, seenProps) {
// if (o.strPropsMerged)
// return {val : o["-string"].aval, stop : false};
// var val = BOTTOM;
// o.forEachOwnProp(function(pname, pval) {
// if (pval.enum && !seenProps.memq(pname)) {
// val = avjoin(val, o[pname].aval);
// (pname !== "-number") && seenProps.push(pname);
// }
// });
// return {val : val, stop : false};
// }
// function combine(avs) {
// var val = BOTTOM;
// avs.forEach(function(av) { val = avjoin(val, av); });
// return val;
// }
// return foldProtoChain(this, act, combine);
// };
Aobj.prototype.getStrProps = function() {
var levels = 0, av = BOTTOM, seenProps = [], o = this;
while (o !== undefined && levels <= 2) {
if (o.strPropsMerged)
av = avjoin(av, o["-string"].aval);
else
o.forEachOwnProp(function(pname, pval) {
if (pval.enum && !seenProps.memq(pname)) {
av = avjoin(av, o[pname].aval);
(pname !== "-number") && seenProps.push(pname);
}
});
levels++;
o = o["-proto"] && heap[o["-proto"].objs[0]];
}
return av;
};
// string, Object -> void
// attribs.aval is the property's value
// The property shouldn't be already present, it'll be overwritten
Aobj.prototype.addProp = function(prop, attribs) {
this[prop] = new Aprop(attribs);
};
// string, Aval -> void
Aobj.prototype.updateExactProp = function(pname, newv) {
if (this.hasOwnProperty(pname)) {
var p = this[pname];
if (!avlt(newv, p.aval)) {
p.aval = avjoin(p.aval, newv);
//print("++ts: 3");
++timestamp;
}
return;
}
this[pname] = new Aprop({aval : newv});
//print("++ts: 4");
++timestamp;
};
// string, Aval -> void
// pname is not "-number" or "-string"
Aobj.prototype.updateProp = function(pname, newv) {
function upd(pname, pval, newv) {
if (!avlt(newv, pval.aval)) {
pval.aval = avjoin(pval.aval, newv);
//print("++ts: 5");
++timestamp;
}
}
if (this.hasOwnProperty(pname))
// either it's not enumerable, or it doesn't interfere with "-number"
upd(pname, this[pname], newv);
else {// the new property is enumerable
if (this.strPropsMerged)
upd("-string", this["-string"], newv);
if (this.numPropsMerged && propIsNumeric(pname))
upd("-number", this["-number"], newv);
else if (!this.strPropsMerged) {
this[pname] = new Aprop({aval : newv});
//print("++ts: 6 " + pname);
++timestamp;
}
}
};
// Aval -> void
Aobj.prototype.updateNumProps = function(newv) {
this.mergeNumProps();
this.updateExactProp("-number", newv);
};
// Aval -> void
Aobj.prototype.updateStrProps = function(newv) {
this.mergeStrProps();
this.updateExactProp("-number", newv);
this.updateExactProp("-string", newv);
};
// merge all numeric properties of the object to one generic number property
Aobj.prototype.mergeNumProps = function() {
if (this.numPropsMerged) return;
var av = BOTTOM, self = this;
this.forEachOwnProp(function(p) {
if (propIsNumeric(p)) {
av = avjoin(av, self[p].aval);
delete self[p]; // don't keep a mix of merged and unmerged properties.
}
});
this.updateExactProp("-number", av); // this bumps timestamp, don't bump again
this.numPropsMerged = true;
};
Aobj.prototype.mergeStrProps = function() {
if (this.strPropsMerged) return;
if (!this.numPropsMerged) this.mergeNumProps();
var av = BOTTOM, self = this;
this.forEachOwnProp(function(pname, pval) {
if (pval.enum) {
av = avjoin(av, pval.aval);
if (pname !== "-number") delete self[pname];
}
});
this.updateExactProp("-string", av); // this bumps timestamp, don't bump again
this.strPropsMerged = true;
};
Aobj.prototype.forEachOwnProp = function(f) {
for (var p in this)
if (this[p] instanceof Aprop)
f(p, this[p]); // f may ignore its second argument
};
// Aobj.prototype.forEachEnumProp = function(f) {
// function act(o, seenProps) {
// for (var p in o) {
// var pval = o[p];
// if ((pval instanceof Aprop) && pval.enum
// && !seenProps.memq(p)) {
// f(p, pval.aval); // f may ignore its second argument
// seenProps.push(p);
// }
// }
// return { stop : false };
// }
// foldProtoChain(this, act, function() {});
// };
Aobj.prototype.forEachEnumProp = function(f) {
var levels = 0, av = BOTTOM, seenProps = [], o = this;
while (o !== undefined && levels <= 2) {
for (var p in o) {
var pval = o[p];
if ((pval instanceof Aprop) && pval.enum && !seenProps.memq(p)) {
f(p, pval.aval); // f may ignore its second argument
seenProps.push(p);
}
}
levels++;
o = o["-proto"] && heap[o["-proto"].objs[0]];
}
return av;
};
// optional number -> string
// Returns a multiline string, each line starts with indent (or more) spaces
Aobj.prototype.toString = function(indent) {
indent = indent || 0;
var i1 = buildString(indent, " "), i2 = i1 + " ";
var s = i1 + "<proto>:\n";
s += (this["-proto"] ? this["-proto"].toString(indent + 2) : (i2 + "??\n"));
if (this["-fun"]) {
s += i1 + "<function>:\n" + i2 + this["-fun"].fname.name +
(this["-fun"].lineno ? ("@" + this["-fun"].lineno) : "") + "\n";
}
var self = this;
this.forEachOwnProp(function(p) {
var pname = p;
if (p !== "-number" && p !== "-string")
pname = p.slice(0, -1);
s += i1 + pname + ":\n" + self[p].toString(indent + 2);
});
return s;
};
// An abstract value is an obj w/ 2 properties: base is a number whose bits
// encode the base values, objs is an array of sorted heap addresses that
// denotes a set of objects.
const BOTTOM = makeBaseAval(0), ANUM = makeBaseAval(1), ASTR = makeBaseAval(2);
const ATRU = makeBaseAval(4), AFALS = makeBaseAval(8), ABOOL = makeBaseAval(12);
const AUNDEF = makeBaseAval(16), ANULL = makeBaseAval(32);
const RESTARGS = -1;
const INVALID_TIMESTAMP = -1;
// constructor for abstract values. Should only be called from the wrappers.
function Aval() {}
// number -> Aval
function makeBaseAval(base) {
var v = new Aval();
v.base = base;
v.objs = [];
return v;
}
// number -> Aval
// When creating an abs. value, it can contain at most one object
function makeObjAval(objaddr) {
var v = new Aval();
v.base = 0;
v.objs = [objaddr];
return v;
}
// string -> Aval
function makeStrLitAval(s) {
var v = new Aval();
v.base = 2;
v.objs = [];
v.str = s;
return v;
}
// used by parts of the code that don't know the representation of Aval
Aval.prototype.getBase = function() { return makeBaseAval(this.base); };
// void -> string or undefined
Aval.prototype.getStrLit = function() { return this.str; };
// Merge ATRU and AFALS to one generic boolean in the base b
function mergeBoolsInBase(b) {
if (b & 8) b |= 4;
b = ((b & 48) >> 1) | (b & 7);
return b;
}
// Takes an optional array for cycle detection.
Aval.prototype.toType = function(seenObjs) {
var i = 1, base = mergeBoolsInBase(this.base), types = [];
var basetypes = {1 : "number", 2 : "string", 4 : "boolean",
8 : "undefined", 16 : "null"};
while (i <= 16) {
if ((base & i) === i) types.push(basetypes[i]);
i *= 2;
}
// If uncommented, tags show string constants where possible.
// if ((base & 2) && (this.str !== undefined)) {
// types.rmElmAfterIndex(function(s) {return s === "string";}, 0);
// types.push("\"" + this.str + "\"");
// }
seenObjs || (seenObjs = []);
var slen = seenObjs.length;
this.forEachObj(function (o) {
types.push(o.toType(seenObjs));
seenObjs.splice(slen, seenObjs.length);
});
if (types.length === 0) return "any";
normalizeUnionType(types);
if (types.length === 1) return types[0];
return ("<" + types.join(" | ") + ">");
};
// void -> Aval
// Used when scalars need to be converted to objects
Aval.prototype.baseToObj = function() {
var base = this.base;
if (base & 15 === 0) return this;
var av = makeBaseAval(0);
av.objs = this.objs;
if (base & 2) av = avjoin(av, generic_string_av);
if (base & 1) av = avjoin(av, generic_number_av);
if (base & 12) av = avjoin(av, generic_boolean_av);
return av;
};
// fun takes an Aobj
Aval.prototype.forEachObj = function(fun) {
var objaddrs = this.objs;
if (objaddrs.length === 1) // make common case faster
fun(heap[objaddrs[0]]);
else
objaddrs.forEach(function(addr) { fun(heap[addr]); });
};
// Like forEachObj but fun returns a boolean; if it's true, we stop.
Aval.prototype.forEachObjWhile = function(fun) {
var objaddrs = this.objs, len = objaddrs.length;
if (len === 1) // make common case faster
fun(heap[objaddrs[0]]);
else {
var i = 0, cont = false;
while (!cont && i < len)
cont = fun(heap[objaddrs[i++]]);
}
};
// string -> Aval
Aval.prototype.getProp = function(pname) {
var av = BOTTOM;
this.forEachObj(function(o) { av = avjoin(av, o.getProp(pname) || AUNDEF); });
return av;
};
// string, Aval -> void
Aval.prototype.updateProp = function(pname, av) {
this.forEachObj(function(o) { o.updateProp(pname, av); });
};
// array of Aval, node -> Ans
// Call each function with args. args[0] is what THIS is bound to.
// FIXME: record error if rator contains base vals and non-functions
Aval.prototype.callFun = function(args, callNode) {
var retval = BOTTOM, errval, ans, debugCalls = 0;
this.baseToObj().forEachObj(function(o) {
var clos = o.getFun();
if (!clos) return;
debugCalls++;
ans = evalFun(clos, args, false, callNode);
retval = avjoin(retval, ans.v);
errval = maybeavjoin(errval, ans.err);
});
// var ratorNode = callNode && callNode.children[0];
// if (!debugCalls) {
// var funName, ln = ratorNode.lineno;
// switch (ratorNode.type) {
// case IDENTIFIER:
// funName = ratorNode.name;
// break;
// case FUNCTION:
// funName = ratorNode.fname.name;
// break;
// case DOT:
// if (ratorNode.children[1].type === STRING) {
// funName = ratorNode.children[1].value.slice(0, -1);
// break;
// }
// // fall thru
// default:
// funName = "??";
// break;
// }
// if (args[0] === global_object_av)
// print("unknown function: " + funName + ", line " + (ln || "??"));
// else
// print("unknown method: " + funName + ", line " + (ln || "??"));
// }
return new Ans(retval, undefined, errval);
};
Aval.prototype.hasNum = function() { return this.base & 1; };
Aval.prototype.hasStr = function() { return this.base & 2; };
Aval.prototype.hasObjs = function() { return this.objs.length > 0; };
// returns true if it can guarantee that the Aval is falsy.
Aval.prototype.isFalsy = function() {
var base = this.base;
return this.objs.length === 0 && base !== 0 &&
(base % 8 === 0 || (base === 2 && this.str === "-"));
};
// returns true if it can guarantee that the Aval is truthy.
Aval.prototype.isTruthy = function() {
var base = this.base;
return (this.objs.length === 0 && ((base === 2 && this.str !== "-") ||
base === 4));
};
// optional number -> string
Aval.prototype.toString = function(indent) {
var i1 = buildString(indent || 0, " ");
var i = 1, base = mergeBoolsInBase(this.base), types = [];
var basetypes = {1 : "number", 2 : "string", 4 : "boolean",
8 : "undefined", 16 : "null"};
while (i <= 16) {
if ((base & i) === i) types.push(basetypes[i]);
i *= 2;
}
return (i1 + "Base: " + types.join(", ") + "\n" +
i1 + "Objects: " + this.objs.join(", ") + "\n");
};
// Aval, Aval -> Aval
function avjoin(v1, v2) {
var os1 = v1.objs, os1l = os1.length, os2 = v2.objs, os2l = os2.length;
var b1 = v1.base, b2 = v2.base, av = makeBaseAval(b1 | b2);
if (av.base & 2) {
if (b1 & 2) {
if (!(b2 & 2) || v1.str === v2.str)
av.str = v1.str;
}
else // (b2 & 2) is truthy
av.str = v2.str;
}
if (os1l === 0)
av.objs = os2; // need a copy of os2 here? I think not.
else if (os2l === 0)
av.objs = os1; // need a copy of os1 here? I think not.
else if (os1 === os2)
av.objs = os1;
else if (os1l === os2l) {
for (var i = 0; i < os1l; i++) if (os1[i] !== os2[i]) break;
if (i === os1l) {
av.objs = v2.objs = os1;
return av;
}
else
av.objs = arraymerge(os1, os2);
}
else // merge the two arrays
av.objs = arraymerge(os1, os2);
return av;
}
// Aval or undefined, Aval or undefined -> Aval or undefined
function maybeavjoin(v1, v2) {
if (!v1) return v2;
if (!v2) return v1;
return avjoin(v1, v2);
}
// Aval, Aval -> boolean
// compares abstract values for equality
function aveq(v1, v2) {
if (v1.base !== v2.base) return false;
if (v1.str !== v2.str) return false;
var os1 = v1.objs, os2 = v2.objs, len = os1.length, i;
if (len !== os2.length) return false;
if (os1 === os2) return true;
for (i=0; i<len; i++) if (os1[i] !== os2[i]) return false;
// os2 = os1; // Some extra sharing is possible.
return true;
}
// Aval, Aval -> boolean
// returns true if v1 is less than v2
function avlt(v1, v2) {
var b1 = v1.base, b2 = v2.base;
if (b1 > (b1 & b2)) return false;
if ((b1 & 2) && ("str" in v2) && v2.str !== v1.str)
return false;
var os1 = v1.objs, os1l = os1.length, os2 = v2.objs, os2l = os2.length;
if (os1l === 0 || os1 === os2) return true;
if (os1l > os2l) return false;
for (var i = 0, j = 0; i < os1l; i++) {
while (os2[j] < os1[i]) j++;
if (j === os2l || os1[i] !== os2[j])
return false; // there's an elm is os1 that's not in os2
}
return true;
}
// function node -> Aval
// If the program doesn't set a function's prototype property, create default.
function makeDefaultProto(n) {
var paddr = n.defaultProtoAddr;
var o = new Aobj({ addr: paddr, proto: object_prototype_av });
o["constructor-"] = new Aprop({aval: makeObjAval(n.addr), enum: false});
return makeObjAval(paddr);
}
// heap address, Aval -> void
function updateHeapAv(addr, newv) {
var oldv = heap[addr]; //oldv shouldn't be undefined
if (!avlt(newv, oldv)) {
heap[addr] = avjoin(oldv, newv);
//print("++ts: 7");
modified[addr] = ++timestamp;
}
}
// abstract plus
function aplus(v1, v2) {
if (v1.objs.length !== 0 || v2.objs.length !== 0)
return makeBaseAval(3);
var base = ((v1.base | v2.base) & 2); // base is 0 or 2
if ((v1.base & 61) !== 0 && (v2.base & 61) !== 0) base |= 1;
return makeBaseAval(base);
}
// Invariant: the following code should know nothing about the representation
// of abstract values.
////////////////////////////////////////////////////////////////////////////////
///////////////////// CORE AND CLIENT-SIDE OBJECTS //////////////////////////
////////////////////////////////////////////////////////////////////////////////
var global_object_av;
var global_object_av_addr;
var object_prototype_av;
var function_prototype_av;
var array_constructor;
var regexp_constructor;
// Used to automatically convert base values to objs and call methods on them
var generic_number_av;
var generic_string_av;
var generic_boolean_av;
// string, function, number -> function node
function funToNode(name, code, arity) {
var n = new Node({}, {type:FUNCTION});
n.fname = idNode({}, name);
n.builtin = true;
n.addr = newCount();
pending[count] = 0;
// built-in funs have no params property but they have an arity property
// instead. It's only used by the apply method.
n.arity = arity;
n.body = code;
return n;
}
// Aobj, string, function, number -> void
function attachMethod(o, mname, mcode, arity) {
var n = funToNode(mname, mcode, arity), addr = n.addr;
var fobj = new Aobj({ addr: addr,
proto: function_prototype_av,
fun: n });
o.addProp(mname + "-", { aval: makeObjAval(addr), enum : false });
return fobj;
}
// create the JS core objects in heap & fill in core
function initCoreObjs() {
function toStr(args) { return new Ans(ASTR); }
function toNum(args) { return new Ans(ANUM); }
function toBool(args) { return new Ans(ABOOL); }
function toThis(args) { return new Ans(args[0]); }
// Global object
var go = new Aobj({ addr: newCount() }), goav = makeObjAval(count);
global_object_av = heap[newCount()] = goav;
global_object_av_addr = count;
// global identifiers and methods
go.addProp("Infinity-", {aval:ANUM, write:false, enum:false, config:false});
go.addProp("NaN-", {aval:ANUM, write:false, enum:false, config:false});
go.addProp("undefined-",{aval:AUNDEF, write:false, enum:false, config:false});
// Object.prototype
var op = new Aobj({ addr: newCount() }), opav = makeObjAval(count);
object_prototype_av = opav;
// Object.__proto__ (same as Function.prototype)
var o_p = new Aobj({ addr: newCount(), proto: opav });
var o_pav = makeObjAval(count);
function_prototype_av = o_pav;
// Function.prototype.prototype
var fpp = new Aobj({ addr: newCount(), proto: opav });
o_p.addProp("prototype-",{aval:makeObjAval(count), enum:false, config:false});
fpp.addProp("constructor-", {aval : o_pav, enum : false});
// Object
var _Object = (function () {
// This object is used when Object is called w/out new.
// In reality the behavior doesn't change. In CFA, when there is no new,
// it's better to bind THIS to nonewav instead of the global object.
new Aobj({ addr: newCount(), proto: opav });
var nonewav = makeObjAval(count);
return function (args, withNew) {
var retval = withNew ? args[0] : nonewav;
var arg = args[1];
if (!arg) {
retval.forEachObj(function (o) { o.updateProto(opav); });
return new Ans(retval);
}
else {
// throw errorWithCode(CFA_ERROR, "call a suitable constructor, " +
// "hasn't been defined yet. FIXME");
retval.forEachObj(function (o) { o.updateProto(opav); });
return new Ans(retval);
}
};
})();
// Object is a heap var that will contain an Aval that points to o
var o = attachMethod(go, "Object", _Object, 0), oav = makeObjAval(count);
o.addProp("prototype-", {aval:opav, write:false, enum:false, config:false});
op.addProp("constructor-", {aval: oav, enum: false});
// Function
var f = new Aobj({addr: newCount(), proto: o_pav}), fav = makeObjAval(count);
go.addProp("Function-",{aval : fav, enum : false});
f.addProp("prototype-", {aval:o_pav, write:false, enum:false, config:false});
o_p.addProp("constructor-", {aval : fav, enum : false});
// Methods are attached here because o_pav must be defined already.
attachMethod(go, "isFinite", toBool, 1);
attachMethod(go, "isNaN", toBool, 1);
attachMethod(go, "parseInt", toNum, 1);
attachMethod(op, "hasOwnProperty", toBool, 1);
attachMethod(op, "toString", toStr, 0);
attachMethod(op, "valueOf", toThis, 0);
attachMethod(o_p, "toString", toStr, 0);
attachMethod(o_p, "call",
function(args, withNew, cn) {
var f = args.shift();
args[0] || args.unshift(global_object_av);
return f.callFun(args, cn);
}, 0);
attachMethod(o_p, "apply",
function(args, withNew, cn) {
var recv = args[1] || global_object_av, a2 = args[2], rands,
av, maxArity = 0, restargs, i, ans, retval = BOTTOM, errval;
// We can't compute the arguments once for all functions that
// may be applied. The functions may have different arity which
// impacts what goes to the restargs for each function.
args[0].forEachObj(function(o) {
var clos = o.getFun(), pslen, i;
if (!clos) return;
if (clos.builtin)
pslen = clos.arity;
else
pslen = clos.params.length;
// compute arguments
restargs = BOTTOM;
rands = buildArray(pslen, BOTTOM);
if (a2) { // a2 is the array passed at the call to apply.
a2.forEachObj(function(o) {
if (o.numPropsMerged) {
av = o.getNumProps();
restargs = avjoin(restargs, av);
for (i = 0; i < pslen; i++)
rands[i] = avjoin(rands[i], av);
}
else {
for (i = 0; i < pslen; i++) {
av = o.getOwnExactProp(i + "-") || AUNDEF;
rands[i] = avjoin(rands[i], av);
}
while (true) { // search for extra arguments
av = o.getOwnExactProp(i++ + "-");
// to find the end of the array, we must see that
// an elm *definitely* doesn't exist, different
// from AUNDEF
if (!av) break;
restargs = avjoin(restargs, av);
}
}
});
}
else {
rands = buildArray(pslen, BOTTOM);
}
// do function call
rands.unshift(recv);
rands.push(restargs);
ans = evalFun(clos, rands, false, cn);
retval = avjoin(retval, ans.v);
errval = maybeavjoin(errval, ans.err);
});
return new Ans(retval, undefined, errval);
}, 2);
(function () {
// Array.prototype
var ap = new Aobj({ addr: newCount(), proto: opav });
var apav = makeObjAval(count);
function putelms(args) {
var i, len = args.length;
args[0].forEachObj(function (o) {
for (i = 1; i < len; i++) o.updateNumProps(args[i]);
});
return new Ans(ANUM);
}
function getelms(args) {
var av = BOTTOM;
args[0].forEachObj(function (o) { av = avjoin(av, o.getNumProps()); });
return new Ans(av);
}
attachMethod(ap, "concat",
// lose precision by not creating a new array
function(args) {
var thisarr = args[0], av = BOTTOM;
// if arg is base, join it, if it's array join its elms
for (var i = 1, l = args.length; i < l; i++) {
var avarg = args[i];
av = avjoin(av, avarg.getBase());
avarg.forEachObj(function(o) {
if (o.isArray()) av = avjoin(av, o.getNumProps());
});
thisarr.forEachObj(function(o) { o.updateNumProps(av); });
}
return new Ans(thisarr);
}, 0);
attachMethod(ap, "join", toStr, 1);
attachMethod(ap, "pop", getelms, 0);
attachMethod(ap, "push", putelms, 0);
attachMethod(ap, "slice", toThis, 2);
attachMethod(ap, "sort", toThis, 1);
attachMethod(ap, "splice", toThis, 0);
attachMethod(ap, "shift", getelms, 0);
attachMethod(ap, "toString", toStr, 0);
attachMethod(ap, "unshift", putelms, 0);
// Array
var _Array = (function () {
// This object is used when Array is called w/out new
new Aobj({ addr: newCount(), proto: apav });
var nonewav = makeObjAval(count);
return function(args, withNew) {
var retval = withNew ? args[0] : nonewav;
var arglen = args.length;
retval.forEachObj(function (o) {
o.updateProto(apav);
if (o.getOwnExactProp("length-"))
o.updateProp("length-", ANUM);
else
o.addProp("length-", {aval : ANUM, enum : false});
});
if (arglen <= 2) // new Array(), new Array(size)
;
else { // new Array(elm1, ... , elmN)
retval.forEachObj(function (o) {
for (var i = 1; i < arglen; i++)
o.updateProp((i - 1) + "-", args[i]);
});
}
return new Ans(retval);
};
})();
array_constructor = _Array;
var a = attachMethod(go, "Array", _Array, 0), aav = makeObjAval(count);
a.addProp("prototype-", {aval:apav, write:false, enum:false, config:false});
ap.addProp("constructor-", {aval : aav, enum : false});
})();
(function () {
// Number.prototype
var np = new Aobj({ addr: newCount(), proto: opav });
var npav = makeObjAval(count);
attachMethod(np, "toString", toStr, 0);
attachMethod(np, "valueOf", toNum, 0);
// create generic number object
new Aobj({ addr: newCount(), proto: npav});
generic_number_av = makeObjAval(count);
// Number
function _Number(args, withNew) {
if (withNew) {
args[0].forEachObj(function (o) { o.updateProto(npav); });
return new Ans(args[0]);
}
return new Ans(ANUM);
}
var n = attachMethod(go, "Number", _Number, 0), nav = makeObjAval(count);
n.addProp("prototype-", {aval:npav, write:false, enum:false, config:false});
np.addProp("constructor-", {aval : nav, enum : false});
})();
(function () {
// String.prototype
var sp = new Aobj({ addr: newCount(), proto: opav });
var spav = makeObjAval(count);
attachMethod(sp, "charAt", toStr, 1);
attachMethod(sp, "charCodeAt", toNum, 1);
attachMethod(sp, "indexOf", toNum, 2);
attachMethod(sp, "lastIndexOf", toNum, 2);
// all Arrays returned by calls to match are merged in one
var omatch = new Aobj({ addr: newCount() });
var omatchav = avjoin(ANULL, makeObjAval(count));
array_constructor([omatchav], true);
omatch.updateNumProps(ASTR);
omatch.addProp("index-", {aval : ANUM});
omatch.addProp("input-", {aval : ASTR});
attachMethod(sp, "match", function(args) { return new Ans(omatchav); }, 1);
attachMethod(sp, "replace", toStr, 2);
attachMethod(sp, "slice", toStr, 2);
attachMethod(sp, "substr", toStr, 2);
attachMethod(sp, "substring", toStr, 2);
attachMethod(sp, "toLowerCase", toStr, 0);
attachMethod(sp, "toString", toStr, 0);
attachMethod(sp, "toUpperCase", toStr, 0);
// all Arrays returned by calls to split are merged in one
var osplit = new Aobj({ addr: newCount() });
var osplitav = makeObjAval(count);
array_constructor([osplitav], true);
osplit.updateNumProps(ASTR);
attachMethod(sp, "split", function(args) {
return new Ans(osplitav);
}, 2);
attachMethod(sp, "valueOf", toStr, 0);
// create generic string object
new Aobj({ addr: newCount(), proto: spav });
generic_string_av = makeObjAval(count);
// String
function _String(args, withNew) {
if (withNew) {
args[0].forEachObj(function (o) { o.updateProto(spav); });
return new Ans(args[0]);
}
return new Ans(ASTR);
}
var s = attachMethod(go, "String", _String, 1), sav = makeObjAval(count);
s.addProp("prototype-", {aval:spav, write:false, enum:false, config:false});
sp.addProp("constructor-", {aval : sav, enum : false});
attachMethod(s, "fromCharCode", toStr, 0);
})();
(function () {
// Error.prototype
var ep = new Aobj({ addr: newCount(), proto: opav });
var epav = makeObjAval(count);
attachMethod(ep, "toString", toStr, 0);
// Error
function _Error(args) {
args[0].forEachObj(function (o) {
o.updateProto(epav);
o.updateProp("message-", args[1] || ASTR);
});
return new Ans(args[0]);
}
var e = attachMethod(go, "Error", _Error, 1), eav = makeObjAval(count);
e.addProp("prototype-", {aval:epav, write:false, enum:false, config:false});
ep.addProp("constructor-", {aval : eav, enum : false});
ep.addProp("name-", {aval : ASTR, enum : false});
// SyntaxError.prototype
var sep = new Aobj({ addr: newCount(), proto: epav });
var sepav = makeObjAval(count);
// SyntaxError
function _SyntaxError(args) {
args[0].forEachObj(function (o) {
o.updateProto(sepav);
o.addProp("message-", {aval : ASTR});
});
return new Ans(args[0]);
}
var se = attachMethod(go, "SyntaxError", _SyntaxError, 1);
var seav = makeObjAval(count);
se.addProp("prototype-",{aval:sepav, write:false, enum:false,config:false});
sep.addProp("constructor-", {aval : seav, enum : false});
sep.addProp("name-", {aval : ASTR});
})();
(function () {
// RegExp.prototype
var rp = new Aobj({ addr: newCount(), proto: opav });
var rpav = makeObjAval(count);
// all Arrays returned by calls to exec are merged in one
var oexec = new Aobj({ addr: newCount() });
var oexecav = avjoin(ANULL, makeObjAval(count));
array_constructor([oexecav], true);
oexec.updateNumProps(ASTR);
oexec.addProp("index-", {aval : ANUM});
oexec.addProp("input-", {aval : ASTR});
attachMethod(rp, "exec", function(args) { return new Ans(oexecav); }, 1);
attachMethod(rp, "test", toBool, 1);
// RegExp
function _RegExp(args) {
args[0].forEachObj(function (o) {
o.updateProto(rpav);
o.addProp("global-",{aval:ABOOL, write:false, enum:false,config:false});
o.addProp("ignoreCase-",
{aval:ABOOL, write:false, enum:false, config:false});
o.addProp("lastIndex-", {aval : ANUM, enum : false, config : false});
o.addProp("multiline-",
{aval:ABOOL, write:false, enum:false, config:false});
o.addProp("source-",{aval:ASTR, write:false, enum:false, config:false});
});
return new Ans(args[0]);
}
regexp_constructor = _RegExp;
var r = attachMethod(go, "RegExp", _RegExp, 2), rav = makeObjAval(count);
r.addProp("prototype-", {aval:rpav, write:false, enum:false, config:false});
rp.addProp("constructor-", {aval : rav, enum : false});
})();
(function () {
// Date.prototype
var dp = new Aobj({ addr: newCount(), proto: opav });
var dpav = makeObjAval(count);
attachMethod(dp, "getDate", toNum, 0);
attachMethod(dp, "getDay", toNum, 0);
attachMethod(dp, "getFullYear", toNum, 0);
attachMethod(dp, "getHours", toNum, 0);
attachMethod(dp, "getMilliseconds", toNum, 0);
attachMethod(dp, "getMinutes", toNum, 0);
attachMethod(dp, "getMonth", toNum, 0);
attachMethod(dp, "getSeconds", toNum, 0);
attachMethod(dp, "getTime", toNum, 0);
attachMethod(dp, "getTimezoneOffset", toNum, 0);
attachMethod(dp, "getYear", toNum, 0);
attachMethod(dp, "setTime", toNum, 1);
attachMethod(dp, "toString", toStr, 0);
attachMethod(dp, "valueOf", toNum, 0);
// Date
function _Date(args, withNew) {
if (withNew) {
args[0].forEachObj(function (o) { o.updateProto(dpav); });
return new Ans(args[0]);
}
return new Ans(ASTR);
}
var d = attachMethod(go, "Date", _Date, 0), dav = makeObjAval(count);
d.addProp("prototype-", {aval:dpav, write:false, enum:false, config:false});
dp.addProp("constructor-", {aval : dav, enum : false});
})();
(function () {
// Math
var m = new Aobj({ addr: newCount(), proto: opav });
var mav = makeObjAval(count);
go.addProp("Math-", {aval : mav, enum : false});
m.addProp("constructor-", {aval : oav, enum : false});
m.addProp("E-", {aval : ANUM, write : false, enum : false, config : false});
m.addProp("LN10-",{aval : ANUM, write : false, enum : false, config:false});
m.addProp("LN2-", {aval : ANUM, write : false, enum : false, config:false});
m.addProp("LOG10E-", {aval : ANUM, write:false, enum:false, config:false});
m.addProp("LOG2E-", {aval : ANUM, write:false, enum:false, config:false});
m.addProp("PI-", {aval : ANUM, write : false, enum : false, config :false});
m.addProp("SQRT1_2-", {aval : ANUM, write:false, enum:false, config:false});
m.addProp("SQRT2-",{aval:ANUM, write:false, enum:false, config:false});
attachMethod(m, "abs", toNum, 1);
attachMethod(m, "acos", toNum, 1);
attachMethod(m, "asin", toNum, 1);
attachMethod(m, "atan", toNum, 1);
attachMethod(m, "atan2", toNum, 1);
attachMethod(m, "ceil", toNum, 1);
attachMethod(m, "cos", toNum, 1);
attachMethod(m, "exp", toNum, 1);
attachMethod(m, "floor", toNum, 1);
attachMethod(m, "log", toNum, 1);
attachMethod(m, "max", toNum, 0);
attachMethod(m, "min", toNum, 0);
attachMethod(m, "pow", toNum, 2);
attachMethod(m, "random", toNum, 0);
attachMethod(m, "round", toNum, 1);
attachMethod(m, "sin", toNum, 1);
attachMethod(m, "sqrt", toNum, 1);
attachMethod(m, "tan", toNum, 1);
})();
(function () {
// Boolean.prototype
var bp = new Aobj({ addr: newCount(), proto: opav });
var bpav = makeObjAval(count);
attachMethod(bp, "toString", toStr, 0);
attachMethod(bp, "valueOf", toBool, 0);
// create generic boolean object
new Aobj({ addr: newCount(), proto: bpav });
generic_boolean_av = makeObjAval(count);
// Boolean
function _Boolean(args, withNew) {
if (withNew) {
args[0].forEachObj(function (o) { o.updateProto(bpav); });
return new Ans(args[0]);
}
return new Ans(ABOOL);
}
var b = attachMethod(go, "Boolean", _Boolean, 1), bav = makeObjAval(count);
b.addProp("prototype-", {aval:bpav, write:false, enum:false, config:false});
bp.addProp("constructor-", {aval : bav, enum : false});
})();
}
////////////////////////////////////////////////////////////////////////////////
////////////////////////// EVALUATION PREAMBLE /////////////////////////////
////////////////////////////////////////////////////////////////////////////////
// frame, identifier node, Aval -> void
function frameSet(fr, param, val) {
fr[param.addr] = [val, timestamp]; // record when param was bound to val
}
// frame, identifier node -> Aval
function frameGet(fr, param) {
var pa = param.addr, binding = fr[pa];
if (binding[1] < modified[pa]) {
// if binding changed in heap, change it in frame to be sound
binding[0] = avjoin(binding[0], heap[pa]);
binding[1] = timestamp;
}
return binding[0];
}
// fun. node, array of Aval, timestamp -> [Aval, Aval] or false
function searchSummary(n, args, ts) {
var n_summaries = summaries[n.addr], insouts, summary;
if (n_summaries.ts < ts) return false;
insouts = n_summaries.insouts;
// Start from the end to find the elm that was pushed last
for (var i = insouts.length - 1; i >= 0; i--) {
summary = insouts[i];
// If no widening, turn avlt to aveq in the next line.
if (arrayeq(avlt, args, summary[0])) return summary.slice(-2);
}
return false;
}
// function node -> boolean
// check if any summary exists for this function node
function existsSummary(n) {
return summaries[n.addr].ts !== INVALID_TIMESTAMP;
}
// fun. node, array of Aval, Aval, Aval or undefined, timestamp -> void
function addSummary(n, args, retval, errval, ts) {
var addr = n.addr, summary = summaries[addr];
if (summary.ts === ts)
summary.insouts.push([args, retval, errval]);
else if (summary.ts < ts) { // discard summaries for old timestamps.
summary.ts = ts;
summary.insouts = [[args, retval, errval]];
}
// join new summary w/ earlier ones.
var insjoin = summary.type[0];
for (var i = 0, len = insjoin.length; i < len; i++)
insjoin[i] = avjoin(insjoin[i], args[i] || AUNDEF/*arg mismatch*/);
summary.type[1] = avjoin(summary.type[1], retval);
summary.type[2] = maybeavjoin(summary.type[2], errval);
}
function showSummaries() {
for (var addr in summaries) {
var f = heap[addr].getFun();
//print(f.fname.name + ": " + funToType(f));
}
}
// function node, array of Aval -> number or undefined
// How evalFun interprets the return value of searchPending
// Zero: new frame on the stack
// Positive number: throw to clear the stack b/c of timestamp increase
// Negative number: throw to clear the stack during recursion
// undefined: return w/out throwing during recursion
function searchPending(n, args) {
var bucket = pending[n.addr], len = bucket.length, i;
// We use the number of pending calls to n to clear the stack.
if (len === 0) return 0;
if (bucket[0].ts < timestamp) return len;
// Invariant: no two sets of args are related in \sqsubseteq.
for (i = 0; i < len; i++) {
// No need to keep going, a more general frame is pending.
if (arrayeq(avlt, args, bucket[i].args))
return;
// The deeper frame can be widened, throw to it.
else if (arrayeq(avlt, bucket[i].args, args))
return i - len;
}
return 0;
}
// function node, {args, timestamp} -> void
function addPending(n, elm) { pending[n.addr].push(elm); }
// function node -> {args, timestamp}
function rmPending(n) {
// // Uncomment when debugging
// var elm = pending[n.addr].pop();
// if (!elm) throw errorWithCode(CFA_ERROR, "Remove from empty pending.");
// return elm;
return pending[n.addr].pop();
}
// evalExp & friends use Ans to return tuples
function Ans(v, fr, err) {
this.v = v; // evalExp puts abstract values here, evalStm puts statements
this.fr = fr; // frame
err && (this.err = err); // Aval for exceptions thrown
}
// Initialize the heap for each fun decl, var decl and heap var.
// Because of this function, we never get undefined by reading from heap.
// Must be run after initGlobals and after initCoreObjs.
// Most Aobj`s that aren't core are created here.
var initDeclsInHeap, initDeclsInHeap_override;
(function() {
var walkerobj = walkASTgenerator(), override = walkerobj.override;
initDeclsInHeap = walkerobj.walkAST;
initDeclsInHeap_override = override;
override(REGEXP, function(n) {
new Aobj({ addr: n.addr });
regexp_constructor([makeObjAval(n.addr)]);
});
// FIXME?: when array elms have the same type, they can be prematurely merged
// to help the speed of the algo e.g. in 3d-cube
override(ARRAY_INIT, function(n) {
new Aobj({ addr: n.addr });
array_constructor([makeObjAval(n.addr)], true);
n.children.forEach(initDeclsInHeap);
});
override(OBJECT_INIT, function(n) {
new Aobj({ addr: n.addr, proto: object_prototype_av });
n.children.forEach(function(prop) {
initDeclsInHeap(prop.children[0]);
initDeclsInHeap(prop.children[1]);
});
});
override(NEW_WITH_ARGS, function(n) {
new Aobj({ addr: n.addr });
initDeclsInHeap(n.children[0]);
n.children[1].children.forEach(initDeclsInHeap);
});
override(TRY, function(n) {
initDeclsInHeap(n.tryBlock);
n.catchClauses.forEach(function(c) {
if (c.exvar.kind === HEAP) heap[c.exvar.addr] = BOTTOM;
c.guard && initDeclsInHeap(c.guard);
initDeclsInHeap(c.block);
});
n.finallyBlock && initDeclsInHeap(n.finallyBlock);
});
function _function(n) {
var objaddr = n.addr, fn = n.fname,
obj = new Aobj({ addr: objaddr, fun: n, proto: function_prototype_av });
obj.addProp("prototype-", {aval:BOTTOM, enum:false});
if (fn.kind === HEAP)
heap[fn.addr] = makeObjAval(objaddr);
n.params.forEach(function(p) {if (p.kind === HEAP) heap[p.addr] = BOTTOM;});
flags[objaddr] = n;
// initialize summaries and pending
summaries[objaddr] = {
ts: INVALID_TIMESTAMP,
insouts: [],
type: [buildArray(n.params.length + 1, BOTTOM), BOTTOM]//arg 0 is for THIS
};
pending[objaddr] = [];
initDeclsInHeap(n.body);
}
override(FUNCTION, _function);
override(SCRIPT, function(n) {
n.funDecls.forEach(_function);
n.varDecls.forEach(function(vd){if (flags[vd.addr]) heap[vd.addr]=BOTTOM;});
n.children.forEach(initDeclsInHeap);
});
})();
// void -> Aval
// Used to analyze functions that aren't called
function makeGenericObj() {
new Aobj({ addr: newCount(), proto: object_prototype_av });
return makeObjAval(count);
}
////////////////////////////////////////////////////////////////////////////////
////////////////////////// EVALUATION FUNCTIONS ////////////////////////////
////////////////////////////////////////////////////////////////////////////////
// function for evaluating lvalues
// node, Ans, optional Aval -> Ans
// use n to get an lvalue, do the assignment and return the rvalue
var evalLval;
(function() {
var walkerobj = walkASTgenerator(), override = walkerobj.override;
evalLval = walkerobj.walkAST;
function _stackref(n, ans, oldlval) {
if (n.assignOp) {
if (n.assignOp === PLUS)
ans.v = aplus(ans.v, oldlval);
else
ans.v = ANUM;
}
var newav = avjoin(frameGet(ans.fr, n), ans.v);
frameSet(ans.fr, n, newav);
// if n is a heap var, update heap so its heap refs get the correct Aval.
if (flags[n.addr]) updateHeapAv(n.addr, newav);
return ans;
}
function _heapref(n, ans, oldlval) {
if (n.assignOp) {
if (n.assignOp === PLUS)
ans.v = aplus(ans.v, oldlval);
else
ans.v = ANUM;
}
updateHeapAv(n.addr, ans.v);
return ans;
}
override(IDENTIFIER, function(n, ans, oldlval) {
if (n.kind === STACK)
return _stackref(n, ans, oldlval);
else
return _heapref(n, ans, oldlval);
});
override(INDEX, function(n, ans, oldlval) {
var rval = ans.v, fr = ans.fr, errval, ch = n.children;
if (n.assignOp) {
if (n.assignOp === PLUS)
rval = aplus(rval, oldlval);
else
rval = ANUM;
}
var prop = ch[1];
var ansobj = evalExp(ch[0], fr), avobj = ansobj.v;
fr = ansobj.fr;
errval = ansobj.err;
// Unsound: ignore everything the index can eval to except numbers & strings
if (prop.type === STRING)
avobj.updateProp(prop.value, rval);
else {
var ansprop = evalExp(prop, fr), avprop = ansprop.v;
fr = ansprop.fr;
errval = maybeavjoin(errval, ansprop.err);
if (avprop.hasNum())
avobj.forEachObj(function(o) { o.updateNumProps(rval); });
if (avprop.hasStr()) {
var slit = avprop.getStrLit();
if (slit)
avobj.updateProp(slit, rval);
else
avobj.forEachObj(function(o) { o.updateStrProps(rval); });
}
}
return new Ans(rval, fr, maybeavjoin(errval, ans.err));
});
function _dot(n, ans, oldlval) {
if (n.assignOp) {
if (n.assignOp === PLUS)
ans.v = aplus(ans.v, oldlval);
else
ans.v = ANUM;
}
var ch = n.children, ans2 = evalExp(ch[0], ans.fr);
ans2.v.updateProp(ch[1].value, ans.v);
ans.fr = ans2.fr;
ans.err = maybeavjoin(ans.err, ans2.err);
return ans;
}
override(DOT, _dot);
override(DOT_PROTO, _dot);
override(ARGUMENTS, function(n, ans, oldlval) {
// FIXME: handle assignment to the arguments array
return ans;
});
// in extremely rare cases, you can see a CALL as the lhs of an assignment.
override(CALL, function(n, ans, oldlval) {
return ans;
});
})();
// function for evaluating expressions
// node, frame -> Ans
var evalExp, evalExp_override;
(function() {
var walkerobj = walkASTgenerator(), override = walkerobj.override;
evalExp = walkerobj.walkAST;
evalExp_override = override;
function _stackref(n, fr) { return new Ans(frameGet(fr, n), fr); }
function _heapref(n, fr) { return new Ans(heap[n.addr], fr); }
override(IDENTIFIER, function(n, fr) {
if (n.kind === STACK)
return _stackref(n, fr);
else
return _heapref(n, fr);
});
override(NUMBER, function(n, fr) { return new Ans(ANUM, fr); });
override(STRING,
function(n, fr) { return new Ans(makeStrLitAval(n.value), fr); });
override(TRUE, function(n, fr) { return new Ans(ATRU, fr); });
override(FALSE, function(n, fr) { return new Ans(AFALS, fr); });
override(NULL, function(n, fr) { return new Ans(ANULL, fr); });
override(REGEXP, function(n, fr){ return new Ans(makeObjAval(n.addr), fr); });
override(THIS, function(n, fr) { return new Ans(fr.thisav, fr); });
function _unary2num(n, fr) {
var ans = evalExp(n.children[0], fr);
ans.v = ANUM;
return ans;
}
[UNARY_PLUS, UNARY_MINUS, INCREMENT, DECREMENT, BITWISE_NOT].forEach(
function(tt) { override(tt, _unary2num); });
override(NOT, function(n, fr) {
var ans = evalExp(n.children[0], fr), av = ans.v;
if (av.isTruthy())
ans.v = AFALS;
else if (av.isFalsy())
ans.v = ATRU;
else
ans.v = ABOOL;
return ans;
});
override(TYPEOF, function(n, fr) {
var ans = evalExp(n.children[0], fr);
ans.v = ASTR;
return ans;
});
override(VOID, function(n, fr) {
var ans = evalExp(n.children[0], fr);
ans.v = AUNDEF;
return ans;
});
override(DELETE, function(n, fr) { // unsound: I'm not deleting anything
var ans = evalExp(n.children[0], fr);
ans.v = ABOOL;
return ans;
});
override(IN, function(n, fr) {
var ans1 = evalExp(n.children[0], fr);
var ans2 = evalExp(n.children[1], ans1.fr);
ans2.err = maybeavjoin(ans1.err, ans2.err);
var pname = ans1.v.getStrLit(), ans2v = ans2.v;
if (!ans2v.hasObjs())
ans2.v = AFALS;
else if (!pname)
ans2.v = ABOOL;
else {
var av = BOTTOM;
ans2v.forEachObj(function(o) {
if (!o.getProp(pname))
av = avjoin(av, AFALS);
else
av = avjoin(av, ATRU);
});
ans2.v = av;
}
return ans2;
});
function _binary2bool(n, fr) {
var ans1 = evalExp(n.children[0], fr);
var ans2 = evalExp(n.children[1], ans1.fr);
ans2.v = ABOOL;
ans2.err = maybeavjoin(ans1.err, ans2.err);
return ans2;
}
[EQ, NE, STRICT_EQ, STRICT_NE, LT, LE, GE, GT, INSTANCEOF].forEach(
function(tt) { override(tt, _binary2bool); });
function _andor(pred1, pred2) {
return function(n, fr) {
var ans1 = evalExp(n.children[0], fr), av = ans1.v;
if (pred1.call(av)) return ans1;
var ans2 = evalExp(n.children[1], ans1.fr);
ans2.err = maybeavjoin(ans1.err, ans2.err);
if (!pred2.call(av)) ans2.v = avjoin(av, ans2.v);
return ans2;
}
}
override(AND, _andor(Aval.prototype.isFalsy, Aval.prototype.isTruthy));
override(OR, _andor(Aval.prototype.isTruthy, Aval.prototype.isFalsy));
override(PLUS, function(n, fr) {
var ans1 = evalExp(n.children[0], fr);
var ans2 = evalExp(n.children[1], ans1.fr);
ans2.v = aplus(ans1.v, ans2.v);
ans2.err = maybeavjoin(ans1.err, ans2.err);
return ans2;
});
function _binary2num(n, fr) {
var ans1 = evalExp(n.children[0], fr);
var ans2 = evalExp(n.children[1], ans1.fr);
ans2.v = ANUM;
ans2.err = maybeavjoin(ans1.err, ans2.err);
return ans2;
}
[MINUS, MUL, DIV, MOD, BITWISE_OR, BITWISE_XOR, BITWISE_AND,
LSH, RSH, URSH].forEach(function(tt) { override(tt, _binary2num); });
override(PLUS_ASSIGN, function(n, fr) {
var ch = n.children;
// recomputing ch[0] for += is better than checking every lhs in evalLval
var ans = evalExp(ch[0], fr);
return evalLval(ch[0], evalExp(ch[1], fr), ans.v);
});
override(ASSIGN, function(n, fr) {
return evalLval(n.children[0], evalExp(n.children[1], fr));
});
override(HOOK, function(n, fr) {
var ch = n.children;
var ans = evalExp(ch[0], fr), test = ans.v, av = BOTTOM, err = ans.err;
if (!test.isFalsy()) {
ans = evalExp(ch[1], ans.fr);
av = avjoin(av, ans.v);
err = maybeavjoin(err, ans.err);
}
if (!test.isTruthy()) {
ans = evalExp(ch[2], ans.fr);
av = avjoin(av, ans.v);
err = maybeavjoin(err, ans.err);
}
return new Ans(av, ans.fr, err);
});
override(FUNCTION,
function(n, fr) { return new Ans(makeObjAval(n.addr), fr); });
override(COMMA, function(n, fr) {
var ans, av, errval;
n.children.forEach(function(exp) {
ans = evalExp(exp, fr);
av = ans.v; // keep last one
fr = ans.fr;
errval = maybeavjoin(errval, ans.err);
});
ans.v = av;
ans.err = errval;
return ans;
});
override(OBJECT_INIT, function(n, fr) {
var ans, errval, objaddr = n.addr, newobj = heap[objaddr];
n.children.forEach(function(pinit) {
ans = evalExp(pinit.children[1], fr);
fr = ans.fr;
newobj.updateProp(pinit.children[0].value, ans.v);
errval = maybeavjoin(errval, ans.err);
});
return new Ans(makeObjAval(objaddr), fr, errval);
});
override(ARRAY_INIT, function(n, fr) {
var ans, errval, arrayaddr = n.addr, newarray = heap[arrayaddr];
n.children.forEach(function(elm, i) {
ans = evalExp(elm, fr);
fr = ans.fr;
newarray.updateProp(i + "-", ans.v);
errval = maybeavjoin(errval, ans.err);
});
return new Ans(makeObjAval(arrayaddr), fr, errval);
});
override(DOT_PROTO, function(n, fr) {
var ans = evalExp(n.children[0], fr), ans2, av = BOTTOM,
av2, errval = ans.err;
// FIXME: record error if ans.v contains base values
ans.v.forEachObj(function(o) {
var clos = o.getFun(), proto;
if (!clos) { // if o isn't a function, this is just a property access
av2 = o.getProp("prototype-");
av = avjoin(av, av2 || AUNDEF);
}
else {
proto = o.getProp("prototype-");
if (!aveq(BOTTOM, proto))
av = avjoin(av, proto);
else {// create default prototype and return it
proto = makeDefaultProto(clos);
o.updateProp("prototype-", proto);
av = avjoin(av, proto);
}
}
});
ans2 = new Ans(av, ans.fr, errval);
ans2.thisav = ans.v; // used by method calls
return ans2;
});
override(INDEX, function(n, fr) {
var ansobj = evalExp(n.children[0], fr), avobj = ansobj.v.baseToObj(),
prop = n.children[1], errval = ansobj.err, av , ans;
fr = ansobj.fr;
// If [] notation is used with a constant, try to be precise.
// Unsound: ignore everything the index can eval to except numbers & strings
if (prop.type === STRING)
av = avobj.getProp(prop.value);
else {
var ansprop = evalExp(prop, fr), avprop = ansprop.v;
fr = ansprop.fr;
errval = maybeavjoin(errval, ansprop.err);
av = BOTTOM;
if (avprop.hasNum())
avobj.forEachObj(function(o) { av = avjoin(av, o.getNumProps()); });
if (avprop.hasStr()) {
var slit = avprop.getStrLit();
if (slit)
av = avjoin(av, avobj.getProp(slit));
else
avobj.forEachObj(function(o) { av = avjoin(av, o.getStrProps()); });
}
}
ans = new Ans(av, fr, errval);
ans.thisav = avobj;
return ans;
});
override(DOT, function(n, fr) {
var ans = evalExp(n.children[0], fr), avobj = ans.v.baseToObj();
ans.thisav = avobj; // used by method calls
ans.v = avobj.getProp(n.children[1].value);
return ans;
});
override(CALL, function(n, fr) {
// To see if the analysis reaches some program point in all.js, add some
// call: e10sDebug(some_msg) and uncomment the following code.
// if (n.children[0].value === "e10sDebug") {
// print(n.children[1].children[0].value);
// }
var ans = evalExp(n.children[0], fr), ans1, errval, rands = [];
rands.push(ans.thisav ? ans.thisav : global_object_av);
fr = ans.fr;
errval = ans.err;
// evaluate arguments
n.children[1].children.forEach(function(rand) {
ans1 = evalExp(rand, fr);
rands.push(ans1.v);
fr = ans1.fr;
errval = maybeavjoin(errval, ans1.err);
});
// call each function that can flow to the operator position
ans = ans.v.callFun(rands, n);
ans.fr = fr;
ans.err = maybeavjoin(errval, ans.err);
return ans;
});
override(NEW_WITH_ARGS, function(n, fr) {
var ch = n.children, rands = [], retval = BOTTOM;
var ans = evalExp(ch[0], fr), ans1, errval;
var objaddr = n.addr, thisobj = heap[objaddr];
rands.push(makeObjAval(objaddr));
fr = ans.fr;
errval = ans.err;
// evaluate arguments
ch[1].children.forEach(function(rand) {
ans1 = evalExp(rand, fr);
rands.push(ans1.v);
fr = ans1.fr;
errval = maybeavjoin(errval, ans1.err);
});
// FIXME: record error if rator contains base vals and non-functions
ans.v.baseToObj().forEachObj(function(o) {
var clos = o.getFun(), proto;
if (!clos) return;
proto = o.getProp("prototype-");
if (aveq(BOTTOM, proto)) {
// create default prototype & use it
proto = makeDefaultProto(clos);
o.updateProp("prototype-", proto);
}
thisobj.updateProto(proto);
// if a fun is called both w/ and w/out new, assume it's a constructor
clos.withNew = true;
ans = evalFun(clos, rands, true, n);
if (clos.hasReturn) // constructor uses return
retval = avjoin(retval, ans.v);
else // constructor doesn't use return
retval = avjoin(retval, rands[0]);
errval = maybeavjoin(errval, ans.err);
});
return new Ans(retval, fr, errval);
});
override(ARGUMENTS, function(n, fr) {
var index = n.children[0], ps = n.arguments;
var restargs = fr[RESTARGS] || BOTTOM, ans, av, errval;
if (index.type === NUMBER) {
var iv = index.value;
if (iv < 0)
av = AUNDEF;
else if (iv < ps.length)
av = frameGet(fr, ps[iv]);
else
av = restargs; // unsound: not checking if iv > #args
}
else {
ans = evalExp(index, fr);
fr = ans.fr;
errval = ans.err;
av = BOTTOM;
// when we don't know the index, we return the join of all args
ps.forEach(function(p) { av = avjoin(av, frameGet(fr, p)); });
av = avjoin(av, restargs);
}
return new Ans(av, fr, errval);
});
})();
// function for evaluating statements
// node, frame -> Ans
// Evaluate the statement and find which statement should be executed next.
var evalStm;
(function() {
var walkerobj = walkASTgenerator(), override = walkerobj.override;
evalStm = walkerobj.walkAST;
override(SEMICOLON, function(n, fr) {
var ans = evalExp(n.expression, fr);
ans.v = n.kreg;
return ans;
});
function _next(n, fr) { return new Ans(n.kreg, fr); }
[BLOCK, CASE, DEFAULT, DO, FINALLY, FOR, IF, SWITCH, TRY, WHILE].forEach(
function(tt) { override(tt, _next); });
override(FOR_IN, function(n, fr) {
// For most kinds of iterators at FOR/IN we have to be conservative
// (e.g. DOTs or INDEXes). Without flow sensitivity, we even have to be
// conservative for stack refs that have been initialized, we can't forget
// their current value. We can only be precise when the iterator is a stack
// reference and the variable is BOTTOM in the frame.
var ans = evalExp(n.object, fr), errval, av;
var it = n.iterator, b = n.body;
if (it.type === IDENTIFIER &&
it.kind === STACK &&
aveq(BOTTOM, frameGet(fr, it))) {
av = ans.v;
errval = ans.err;
av.forEachObj(function(o) {
o.forEachEnumProp(function(p) {
// wipe the value of it from the previous iteration
frameSet(fr, it, makeStrLitAval(p));
if (flags[it.addr]) updateHeapAv(it.addr, makeStrLitAval(p));
ans = evalStm(b, fr);
errval = maybeavjoin(errval, ans.err);
});
});
ans.v = b.kreg;
ans.err = errval;
}
else {
av = BOTTOM;
ans.v.forEachObj(function(o) {
o.forEachEnumProp(function(p) {
if (propIsNumeric(p))
av = avjoin(av, ANUM);
else
av = avjoin(av, ASTR);
});
});
ans.v = av;
ans = evalLval(n.iterator, ans);
ans.v = b;
}
return ans;
});
override(CATCH, function(n, fr) { return new Ans(n.block, fr); });
override(THROW, function(n, fr) {
var ans = evalExp(n.exception, fr);
ans.err = maybeavjoin(ans.err, ans.v);
ans.v = n.kreg;
return ans;
});
})();
var big_ts;
// StackCleaner inherits from Error and is not used to signal errors, but to
// manage the size of the runtime stack.
// function node, number, optional array of Aval
function StackCleaner(fn, howmany, args) {
this.fn = fn;
this.howmany = howmany;
if (args) this.args = args;
}
StackCleaner.prototype = new Error();
// function node, array of Aval, boolean, optional call node -> Ans w/out fr
// Arg 4 is the node that caused the function call (if there is one).
function evalFun(fn, args, withNew, cn) {
var ans, n, params, fr, w, script = fn.body, pelm1;
var retval = BOTTOM, errval = BOTTOM;
// stm node (exception continuation), av (exception value) -> void
function stmThrows(n, errav) {
if (n) {
if (n.type === CATCH) {
var exvar = n.exvar;
if (exvar.kind === HEAP)
heap[exvar.addr] = avjoin(errav, heap[exvar.addr]);
if (fr[exvar.addr]) // revealing the representation of frame here.
frameSet(fr, exvar, avjoin(errav, frameGet(fr, exvar)));
else
frameSet(fr, exvar, errav);
}
w.push(n);
}
else
errval = avjoin(errval, errav);
}
if (process.uptime() > timeout) throw new Error("timeout");
// if (timestamp > big_ts) {
// print("big ts: " + timestamp);
// dumpHeap("heapdump" + timestamp + ".txt");
// big_ts += 1000;
// if (big_ts > 100000) throw new Error("foobar");
// }
// treat built-in functions specially
if (fn.builtin) {
// return fn.body(args, withNew, cn);
// If there's an input for which built-ins cause stack overflow, uncomment.
var addr = fn.addr;
if (pending[addr] > 1) {
return new Ans(BOTTOM, undefined, BOTTOM);
}
++pending[addr];
try {
ans = fn.body(args, withNew, cn);
--pending[addr];
return ans;
}
catch (e) {
if (e instanceof StackCleaner) --pending[addr];
throw e;
}
}
var tsAtStart;
var result = searchSummary(fn, args, timestamp);
if (result) return new Ans(result[0], undefined, result[1]);
while(true) {
try {
tsAtStart = timestamp;
// pending & exceptions prevent the runtime stack from growing too much.
var pelm2 = searchPending(fn, args);
if (pelm2 === 0) {
pelm1 = {args : args, ts : timestamp};
addPending(fn, pelm1);
}
else if (pelm2 === undefined) {
// If a call eventually leads to itself, stop analyzing & return BOTTOM.
// Add a summary that describes the least solution.
addSummary(fn, args, BOTTOM, BOTTOM, tsAtStart);
return new Ans(BOTTOM, undefined, BOTTOM);
}
else if (pelm2 > 0) {
// There are pending calls that are obsolete because their timestamp is
// old. Discard frames to not grow the stack too much.
throw new StackCleaner(fn, pelm2);
}
else /* if (pelm2 < 0) */ {
throw new StackCleaner(fn, -pelm2, args);
}
w = [];
fr = {};
params = fn.params;
frameSet(fr, fn.fname, makeObjAval(fn.addr));
// args[0] is always the obj that THIS is bound to.
// THIS never has a heap ref, so its entry in the frame is special.
fr.thisav = args[0];
// Bind formals to actuals
for (var i = 0, len = params.length; i < len; i++) {
var param = params[i], arg = args[i+1] || AUNDEF;//maybe #args < #params
if (param.kind === HEAP) updateHeapAv(param.addr, arg);
frameSet(fr, param, arg);
}
var argslen = args.length;
if ((++i) < argslen) { // handling of extra arguments
var restargs = BOTTOM;
for (; i<argslen; i++) restargs = avjoin(restargs, args[i]);
fr[RESTARGS] = restargs; // special entry in the frame.
}
// bind a non-init`d var to bottom, not undefined.
script.varDecls.forEach(function(vd) { frameSet(fr, vd, BOTTOM); });
// bind the fun names in the frame.
script.funDecls.forEach(function(fd) {
frameSet(fr, fd.fname, makeObjAval(fd.addr));
});
w.push(script.kreg);
while (w.length !== 0) {
n = w.pop();
if (n === undefined) continue;
if (n.type === RETURN) {
ans = evalExp(n.value, fr);
// fr is passed to exprs/stms & mutated, no need to join(fr, ans.fr)
fr = ans.fr;
retval = avjoin(retval, ans.v);
w.push(n.kreg);
if (ans.err) stmThrows(n.kexc, ans.err);
}
else {
ans = evalStm(n, fr);
fr = ans.fr;
w.push(ans.v);
if (ans.err) stmThrows(n.kexc, ans.err);
}
}
rmPending(fn);
if (!fn.hasReturn) retval = AUNDEF;
// Find if a summary has been added during recursion.
result = searchSummary(fn, args, tsAtStart);
if (!result || (avlt(retval, result[0]) && avlt(errval, result[1]))) {
// Either fn isn't recursive, or the fixpt computation has finished.
if (!result) addSummary(fn, args, retval, errval, tsAtStart);
return new Ans(retval, undefined, errval);
}
else {
retval = avjoin(result[0], retval);
errval = avjoin(result[1], errval);
// The result changed the last summary; update summary and keep going.
addSummary(fn, args, retval, errval, tsAtStart);
}
}
catch (e) {
if (!(e instanceof StackCleaner)) {
// analysis error, irrelevant to the stack-handling code
throw e;
}
if (!pelm1) throw e;
rmPending(fn);
if (e.fn !== fn) throw e;
if (e.howmany !== 1) {
e.howmany--;
throw e;
}
if (e.args) args = e.args;
}
}
}
// maybe merge with evalFun at some point
function evalToplevel(tl) {
var w /* workset */, fr, n, ans;
w = [];
fr = {};
initDeclsInHeap(tl);
fr.thisav = global_object_av;
// bind a non-init`d var to bottom, different from assigning undefined to it.
tl.varDecls.forEach(function(vd) { frameSet(fr, vd, BOTTOM); });
// bind the fun names in the frame.
tl.funDecls.forEach(function(fd) {
frameSet(fr, fd.fname, makeObjAval(fd.addr));
});
// evaluate the stms of the toplevel in order
w.push(tl.kreg);
while (w.length !== 0) {
n = w.pop();
if (n === undefined) continue; // end of toplevel reached
if (n.type === RETURN)
; // record error, return in toplevel
else {
ans = evalStm(n, fr);
fr = ans.fr;
w.push(ans.v);
// FIXME: handle toplevel uncaught exception
}
}
//print("call uncalled functions");
// each function w/out a summary is called with unknown arguments
for (var addr in summaries) {
var f = heap[addr].getFun();
if (!existsSummary(f)) {
var any_args = buildArray(f.params.length, BOTTOM);
any_args.unshift(makeGenericObj());
evalFun(f, any_args, false);
}
}
//showSummaries();
}
// initGlobals and initCoreObjs are difficult to override. The next 2 vars help
// clients of the analysis add stuff to happen during initialization
var initOtherGlobals, initOtherObjs;
// consumes the ast returned by jsparse.parse
function cfa2(ast) {
count = 0;
astSize = 0;
initGlobals();
initOtherGlobals && initOtherGlobals();
//print("fixStm start");
fixStm(ast);
//print("fixStm succeeded");
initCoreObjs();
initOtherObjs && initOtherObjs();
//print("initObjs done");
if (commonJSmode) { // create the exports object
var e = new Aobj({ addr: newCount() }), eav = makeObjAval(count);
heap[newCount()] = eav;
exports_object_av_addr = count;
exports_object.obj = e;
}
labelAST(ast);
//print("labelStm done");
desugarWith(ast, undefined, []);
//print("desugarWith done");
desugarLet(ast);
tagVarRefs(ast, [], [], "toplevel");
//print("tagrefsStm done");
markConts(ast, undefined, undefined);
//print("markconts done");
try {
//print("Done with preamble. Analysis starting.");
evalToplevel(ast);
//print("after cfa2");
// print("AST size: " + astSize);
// print("ts: " + timestamp);
// dumpHeap("heapdump.txt");
}
catch (e) {
if (e.message !== "timeout") {
print(e.message);
console.trace();
if (! ("code" in e)) e.code = CFA_ERROR;
throw e;
}
else
timedout = true;
}
}
// function node -> string
function funToType(n, seenObjs) {
if (n.builtin)
return "function"; // FIXME: tag built-in nodes w/ their types
if (seenObjs) {
if (seenObjs.memq(n))
return "any";
else
seenObjs.push(n);
}
else {
seenObjs = [n];
}
var addr = n.addr, summary = summaries[addr];
if (summary.ts === INVALID_TIMESTAMP) // the function was never called
return "function";
var insjoin = summary.type[0], instypes = [], outtype, slen = seenObjs.length;
for (var i = 1, len = insjoin.length; i < len; i++) {
instypes[i - 1] = insjoin[i].toType(seenObjs);
// each argument must see the same seenObjs, the initial one.
seenObjs.splice(slen, seenObjs.length);
}
if (n.withNew && !n.hasReturn) {
outtype = n.fname.name;
// If a fun is called both w/ and w/out new, assume it's a constructor.
// If a constructor is called w/out new, THIS is bound to the global obj.
// In this case, the result type must contain void.
var thisObjType = insjoin[0].toType(seenObjs);
if (/Global Object/.test(thisObjType))
outtype = "<void | " + outtype + ">";
}
else
outtype = summary.type[1].toType(seenObjs);
if (outtype === "undefined") outtype = "void";
return (outtype + " function(" + instypes.join(", ") +")");
}
// node, string, Array of string, cmd-line options -> Array of ctags
function getTags(ast, pathtofile, lines, options) {
const REGEX_ESCAPES = { "\n": "\\n", "\r": "\\r", "\t": "\\t" };
var tags = [];
function regexify(str) {
function subst(ch) {
return (ch in REGEX_ESCAPES) ? REGEX_ESCAPES[ch] : "\\" + ch;
}
str || (str = "");
return "/^" + str.replace(/[\\/$\n\r\t]/g, subst) + "$/";
}
if (options.commonJS) commonJSmode = true;
// print(pathtofile);
cfa2(ast);
// print("Flow analysis done. Generating tags");
if (exports_object.obj) {
var eo = exports_object.obj;
eo.forEachOwnProp(function (p) {
var av = eo.getOwnExactProp(p);
var tag = {};
tag.name = /-$/.test(p) ? p.slice(0, -1) : p.slice(1);
tag.tagfile = pathtofile;
tag.addr = regexify(lines[exports_object.lines[p] - 1]);
var type = av.toType();
if (/(^<.*> function)|(^[^<>\|]*function)/.test(type))
tag.kind = "f";
else
tag.kind = "v";
tag.type = type;
tag.module = options.module;
tag.lineno = exports_object.lines[p];
tags.push(tag);
});
}
for (var addr in summaries) {
var f = heap[addr].getFun();
tags.push({ name : f.fname.name || "%anonymous_function",
tagfile : pathtofile,
addr : regexify(lines[f.lineno - 1]),
kind : "f",
type : funToType(f),
lineno : f.lineno.toString(),
sortno : f.lineno.toString()
});
}
ast.varDecls.forEach(function(vd) {
tags.push({ name : vd.name,
tagfile : pathtofile,
addr : regexify(lines[vd.lineno - 1]),
kind : "v",
type : heap[vd.addr].toType(),
lineno : vd.lineno.toString(),
sortno : vd.lineno.toString()
});
});
return tags;
}
// node -> boolean
// hacky test suite. Look in run-tests.js
function runtest(ast) {
cfa2(ast);
// find test's addr at the toplevel
var testaddr, fds = ast.funDecls;
for (var i = 0, len = fds.length; i < len; i++)
if (fds[i].fname.name === "test") {
testaddr = fds[i].addr;
break;
}
if (testaddr === undefined) throw errorWithCode(CFA_ERROR, "Malformed test");
var type = summaries[testaddr].type;
// print(type[0][1]);
// print(type[1]);
return aveq(type[0][1], type[1]);
}
exports.cfa2 = cfa2;
exports.runtest = runtest;
exports.getTags = getTags;
////////////////////////////////////////////////////////////////////////////////
////////////// DATA DEFINITIONS FOR THE AST RETURNED BY JSPARSE ////////////
////////////////////////////////////////////////////////////////////////////////
function walkExp(n) {
switch (n.type){
//nullary
case NULL:
case THIS:
case TRUE:
case FALSE:
break;
case IDENTIFIER:
case NUMBER:
case STRING:
case REGEXP:
// n.value
break;
//unary
case DELETE:
case VOID:
case TYPEOF:
case NOT:
case BITWISE_NOT:
case UNARY_PLUS: case UNARY_MINUS:
case NEW:
walkExp(n.children[0]);
break;
case INCREMENT: case DECREMENT:
// n.postfix is true or undefined
walkExp(n.children[0]);
break;
//binary
case CALL:
case NEW_WITH_ARGS:
walkExp(n.children[0]);
//n[1].type === LIST
n.children[1].children.forEach(walkExp);
break;
case IN:
walkExp(n.children[0]); // an exp which must eval to string
walkExp(n.children[1]); // an exp which must eval to obj
break;
case DOT:
walkExp(n.children[0]);
walkExp(n.children[1]); // must be IDENTIFIER
break;
case BITWISE_OR: case BITWISE_XOR: case BITWISE_AND:
case EQ: case NE: case STRICT_EQ: case STRICT_NE:
case LT: case LE: case GE: case GT:
case INSTANCEOF:
case LSH: case RSH: case URSH:
case PLUS: case MINUS: case MUL: case DIV: case MOD:
case AND: case OR:
case ASSIGN: // n[0].assignOp shows which op-and-assign operator we have here
case INDEX: // property indexing
walkExp(n.children[0]);
walkExp(n.children[1]);
break;
//ternary
case HOOK:
walkExp(n.children[0]);
walkExp(n.children[1]);
walkExp(n.children[2]);
break;
//variable arity
case COMMA:
case ARRAY_INIT: // array literal
n.children.forEach(walkExp);
break;
case OBJECT_INIT:
n.children.forEach(function(prop) { // prop.type === PROPERTY_INIT
walkExp(prop.children[0]); // identifier, number or string
walkExp(prop.children[1]);
});
break;
//other
case FUNCTION:
// n.name is a string
// n.params is an array of strings
// n.functionForm === EXPRESSED_FORM
walkStm(n.body);
break;
}
}
function walkStm(n) {
switch (n.type) {
case SCRIPT:
case BLOCK:
n.children.forEach(walkStm);
break;
case FUNCTION:
// n.name is a string
// n.params is an array of strings
// n.functionForm === DECLARED_FORM or STATEMENT_FORM
// STATEMENT_FORM is for funs declared in inner blocks, like IF branches
// It doesn't extend the funDecls of the script, bad!
walkStm(n.body);
break;
case SEMICOLON:
n.expression && walkExp(n.expression);
break;
case IF:
walkExp(n.condition);
walkStm(n.thenPart);
n.elsePart && walkStm(n.elsePart);
break;
case SWITCH:
walkExp(n.discriminant);
// a switch w/out branches is legal, n.cases is []
n.cases.forEach(function(branch) {
branch.caseLabel && walkExp(branch.caseLabel);
// if the branch has no stms, branch.statements is an empty block
walkStm(branch.statements);
});
break;
case FOR:
if (n.setup) {
if (n.setup.type === VAR || n.setup.type === CONST)
walkStm(n.setup);
else walkExp(n.setup);
}
n.condition && walkExp(n.condition);
n.update && walkExp(n.update);
walkStm(n.body);
break;
case FOR_IN:
// n.varDecl may be used when there is a LET at the head of the for/in loop.
walkExp(n.iterator);
walkExp(n.object);
walkStm(n.body);
break;
case WHILE:
case DO:
walkExp(n.condition);
walkStm(n.body);
break;
case BREAK:
case CONTINUE:
// do nothing: n.label is just a name, n.target points back to ancestor
break;
case TRY:
walkStm(n.tryBlock);
n.catchClauses.forEach(function(clause) { // clause.varName is a string
clause.guard && walkExp(clause.guard);
walkStm(clause.block);
});
n.finallyBlock && walkStm(n.finallyBlock);
break;
case THROW:
walkExp(n.exception);
break;
case RETURN:
n.value && walkExp(n.value);
break;
case WITH:
walkExp(n.object);
walkStm(n.body);
break;
case LABEL:
// n.label is a string
walkStm(n.statement);
break;
case VAR:
case CONST: // variable or constant declaration
// vd.name is a string
// vd.readOnly is true for constants, false for variables
n.children.forEach(function(vd) { walkExp(vd.initializer); });
break;
}
return n;
}
////////////////////////////////////////////////////////////////////////////////
//////////// EVENT CLASSIFICATION FOR FIREFOX ADDONS /////////////////////
////////////////////////////////////////////////////////////////////////////////
var e10sResults, chrome_obj_av_addr, Chrome, Content;
(function() {
// Initializing functions are overriden here
initOtherGlobals = function() {
// make separate constructors for chrome and content objs, so that we can
// distinguish them w/ instanceof
Chrome = function(specialProps) { Aobj.call(this, specialProps); }
Chrome.prototype = new Aobj({ addr: newCount() });
Content = function(specialProps) { Aobj.call(this, specialProps); }
Content.prototype = new Aobj({ addr: newCount() });
e10sResults = {};
};
initOtherObjs = initDOMObjs;
tagVarRefs_override(IDENTIFIER, tagVarRefsId(true));
// Must be called *after* the desugarings.
function initDeclsInHeap_e10s(n) {
// "Attach listener" have one more property called status:
// status is an Array of four strings, describing the listener:
// event name: some specific name or unknown
// attached on: chrome, content or any
// originates from: chrome, content or any
// flagged: safe or unsafe
n.addr = newCount();
e10sResults[count] = {
lineno : n.lineno,
analyzed : false,
kind : (n.type === DOT && n.children[1].value === "addEventListener-") ?
"Attach listener" : "Touch content"
};
n.children.forEach(initDeclsInHeap);
}
initDeclsInHeap_override(DOT, initDeclsInHeap_e10s);
initDeclsInHeap_override(INDEX, initDeclsInHeap_e10s);
})();
function initDOMObjs() {
function toThis(args) { return new Ans(args[0]); }
// the whole DOM tree is modeled by 2 chrome and 1 content object
var chr = new Chrome({ addr: newCount() }), chrav = makeObjAval(count);
chrome_obj_av_addr = newCount();
heap[chrome_obj_av_addr] = chrav;
var chr2 = new Chrome({ addr: newCount() }), chr2av = makeObjAval(count);
var con = new Content({ addr: newCount() }), conav = makeObjAval(count);
chr.addProp("content-", { aval: chr2av, enum: false });
chr.addProp("contentDocument-", { aval: conav, enum: false });
chr.addProp("contentWindow-", { aval: chr2av, enum: false });
chr.addProp("defaultView-", { aval: conav, enum: false });
chr2.addProp("document-", { aval: conav, enum: false });
con.addProp("documentElement-", { aval: conav, enum: false });
chr.addProp("opener-", { aval: chrav, enum: false });
con.addProp("opener-", { aval: conav, enum: false });
chr.addProp("selectedBrowser-", { aval: chrav, enum: false });
["firstChild-", "lastChild-", "nextSibling-", "top-"].forEach(
function(pname) {
chr.addProp(pname, { aval: chrav, enum: false });
chr2.addProp(pname, { aval: chr2av, enum: false });
con.addProp(pname, { aval: conav, enum: false });
}
);
chr.addProp("parentNode-", { aval: chrav, enum: false });
chr2.addProp("parentNode-", { aval: chrav, enum: false });
con.addProp("parentNode-", { aval: conav, enum: false });
attachMethod(chr, "getBrowser", toThis, 0);
["getElementById", "appendChild", "removeChild", "createElement"].forEach(
function(fname) {
attachMethod(chr, fname, toThis, 1);
attachMethod(con, fname, toThis, 1);
}
);
// chrarr is for functions that normally return a Node list of chrome elms
var chrarr = new Aobj({ addr: newCount() }), chrarrav = makeObjAval(count);
array_constructor([chrarrav], true);
chrarr.updateNumProps(chrav);
// conarr is for functions that normally return a Node list of content elms
var conarr = new Aobj({ addr: newCount() }), conarrav = makeObjAval(count);
array_constructor([conarrav], true);
conarr.updateNumProps(conav);
function toNodeList(args) {
var av = BOTTOM, both = 0;
args[0].forEachObjWhile(function(o) {
if (o instanceof Chrome) {
av = avjoin(av, chrarrav);
both |= 1;
}
if (o instanceof Content) {
av = avjoin(av, conarrav);
both |= 2;
}
return both === 3;
});
return new Ans(av);
}
chr.addProp("childNodes-", { aval: chrarrav, enum: false });
chr2.addProp("childNodes-", { aval: chrarrav, enum: false });
con.addProp("childNodes-", { aval: conarrav, enum: false });
[["querySelectorAll", 1], ["getElementsByClassName", 1],
["getElementsByAttribute", 2], ["getElementsByTagName", 1]].forEach(
function(pair) {
var p0 = pair[0], p1 = pair[1];
attachMethod(chr, p0, toNodeList, p1);
attachMethod(chr2, p0, toNodeList, p1);
attachMethod(con, p0, toNodeList, p1);
}
);
global_object_av.forEachObj(function(go) {
go.addProp("content-", { aval: chr2av, enum: false });
go.addProp("contentWindow-", { aval: chr2av, enum: false });
go.addProp("document-", { aval: chrav, enum: false });
go.addProp("gBrowser-", { aval: chrav, enum: false });
go.addProp("opener-", { aval: chrav, enum: false });
go.addProp("window-", { aval: chrav, enum: false });
});
function aEL(args, withNew, callNode) {
// oldst can be undefined
function evtjoin(oldst, newst) {
if (oldst) {
if (oldst[0] !== newst[0]) newst[0] = "unknown-";
if (oldst[1] !== newst[1]) newst[1] = "any";
if (oldst[2] !== newst[2]) newst[2] = "any";
if (oldst[3] !== newst[3]) newst[3] = "unsafe";
}
return newst;
}
var evt = (args[1] && args[1].getStrLit()) || "unknown-";
var ratorNode = callNode.children[0], raddr=ratorNode.addr, ec, evtkind, st;
if (!ratorNode) return new Ans(BOTTOM);
ec = e10sResults[raddr];
if (ec)
ec.analyzed = true;
else {
if (!raddr) raddr = ratorNode.addr = newCount();
ec = e10sResults[raddr] = {lineno : ratorNode.lineno,
analyzed : true,
kind : "Attach listener",
status : undefined};
}
evtkind = eventKinds[evt.slice(0,-1)];
if (evtkind === XUL)
st = [evt, "chrome", "chrome", "safe"];
else if (evtkind === undefined && !args[4] && evt !== "unknown-") {
// listener for custom event that can't come from content
st = [evt, "chrome", "chrome", "safe"];
}
else {
var numobjs = 0;
args[0].forEachObj(function(o) {
++numobjs;
if (o instanceof Chrome) {
var st2 = [evt, "chrome", undefined, undefined];
if (evtkind === NO_BUBBLE) {
st2[2] = "chrome";
st2[3] = "safe";
}
else {
st2[2] = "any";
st2[3] = "unsafe"
}
st = evtjoin(st, st2);
}
else if (o instanceof Content) {
st = evtjoin(st, [evt, "content", "content", "unsafe"]);
}
else
st = evtjoin(st, [evt, "any", "any", "unsafe"]);
});
if (numobjs === 0) st = [evt, "any", "any", "unsafe"];
}
ec.status = evtjoin(ec.status, st);
return new Ans(BOTTOM);
}
var aEL_node = funToNode("addEventListener-", aEL, 3);
new Aobj({ addr: count,
proto : function_prototype_av,
fun : aEL_node });
var aELav = makeObjAval(count);
// Node, Aval, Aval -> Aval
function evalExp_e10s(n, recv, av) {
var recvchrome = false, recvcon = false;
recv.forEachObjWhile(function(o) {
if (o instanceof Chrome)
recvchrome = true;
else if (o instanceof Content)
recvcon = true;
return recvchrome && recvcon;
});
if (recvchrome && !recvcon)
av.forEachObjWhile(function(o) {
if (o instanceof Content) {
var ec = e10sResults[n.addr];
ec.analyzed = true;
ec.kind = "Touch content";
return true;
}
});
//hideous hack for properties of chrome & content elms we don't know about
if (aveq(av, AUNDEF) && (recvchrome || recvcon))
return recv;
else
return av;
}
// replace evalExp/DOT with the following function
evalExp_override(DOT, function(n, fr) {
var ch = n.children;
var ans = evalExp(ch[0], fr), avobj = ans.v.baseToObj();
ans.thisav = avobj; // used by method calls
if (ch[1].value === "addEventListener-")
ans.v = aELav;
else
ans.v = avobj.getProp(ch[1].value);
ans.v = evalExp_e10s(n, avobj, ans.v);
return ans;
});
evalExp_override(INDEX, function(n, fr) {
var ansobj = evalExp(n.children[0], fr), avobj = ansobj.v.baseToObj();
var prop = n.children[1], errval = ansobj.err, av , ans;
fr = ansobj.fr;
if (prop.type === STRING)
av = avobj.getProp(prop.value);
else {
var ansprop = evalExp(prop, fr), avprop = ansprop.v;
fr = ansprop.fr;
errval = maybeavjoin(errval, ansprop.err);
av = BOTTOM;
if (avprop.hasNum())
avobj.forEachObj(function(o) { av = avjoin(av, o.getNumProps()); });
if (avprop.hasStr()) {
var slit = avprop.getStrLit();
if (slit)
av = avjoin(av, avobj.getProp(slit));
else
avobj.forEachObj(function(o) { av = avjoin(av, o.getStrProps()); });
}
}
ans = new Ans(evalExp_e10s(n, avobj, av), fr, errval);
ans.thisav = avobj;
return ans;
});
}
const XUL = 0, BUBBLE = 1, NO_BUBBLE = 2;
var eventKinds = {
abort : BUBBLE,
blur : NO_BUBBLE,
broadcast : XUL,
change : BUBBLE,
CheckboxStateChange : XUL,
click : BUBBLE,
close : XUL,
command : XUL,
commandupdate : XUL,
contextmenu : XUL,
dblclick : BUBBLE,
DOMActivate : BUBBLE,
DOMAttrModified : BUBBLE,
DOMCharacterDataModified : BUBBLE,
DOMContentLoaded : BUBBLE,
DOMFocusIn : BUBBLE,
DOMFocusOut : BUBBLE,
DOMMenuItemActive : XUL,
DOMMenuItemInactive : XUL,
DOMMouseScroll : XUL,
DOMNodeInserted : BUBBLE,
DOMNodeInsertedIntoDocument : NO_BUBBLE,
DOMNodeRemoved : BUBBLE,
DOMNodeRemovedFromDocument : NO_BUBBLE,
DOMSubtreeModified : BUBBLE,
dragdrop : XUL,
dragenter : XUL,
dragexit : XUL,
draggesture : XUL,
dragover : XUL,
error : BUBBLE,
focus : NO_BUBBLE,
input : XUL,
keydown : BUBBLE,
keypress : BUBBLE,
keyup : BUBBLE,
load : NO_BUBBLE,
mousedown : BUBBLE,
mousemove : BUBBLE,
mouseout : BUBBLE,
mouseover : BUBBLE,
mouseup : BUBBLE,
overflow : XUL,
overflowchanged : XUL,
pagehide: BUBBLE,
pageshow: BUBBLE,
popuphidden : XUL,
popuphiding : XUL,
popupshowing : XUL,
popupshown : XUL,
RadioStateChange : XUL,
reset : BUBBLE,
resize : BUBBLE,
scroll : BUBBLE,
select : BUBBLE,
submit : BUBBLE,
TabClose : XUL,
TabOpen : XUL,
TabSelect : XUL,
underflow : XUL,
unload : NO_BUBBLE
// ViewChanged event from greasemonkey?
};
function analyze_addon(ast, tmout) {
print("Doing CFA");
timeout = tmout;
cfa2(ast);
// Addresses are irrelevant outside jscfa, convert results to array.
var rs = [];
for (var addr in e10sResults) {
var r = e10sResults[addr];
if (r.analyzed) rs.push(r);
}
rs.astSize = astSize;
rs.timedout = timedout;
print("Done with CFA: " + timestamp);
return rs;
}
exports.analyze_addon = analyze_addon;