Merge pull request #470 from esben-semmle/custom-abstract-values-only

Approved by xiemaisi

Author: semmle-qlci

javascript/ql/src/semmle/javascript/dataflow/CustomAbstractValueDefinitions.qll

@@ -0,0 +1,158 @@
+/**
+ * Provides classes for working with analysis-specific abstract values.
+ *
+ * Implement a subclass of `CustomAbstractValueDefinition` when the builtin
+ * abstract values of `AbstractValues.qll` are not expressive enough.
+ *
+ * For performance reasons, all subclasses of `CustomAbstractValueDefinition`
+ * should be part of the standard library.
+ */
+
+import javascript
+private import internal.AbstractValuesImpl
+private import InferredTypes
+
+/**
+ * An abstract representation of an analysis-specific value.
+ *
+ * Wraps a `CustomAbstractValueDefinition`.
+ */
+class CustomAbstractValueFromDefinition extends AbstractValue, TCustomAbstractValueFromDefinition {
+
+  CustomAbstractValueDefinition def;
+
+  CustomAbstractValueFromDefinition() {
+    this = TCustomAbstractValueFromDefinition(def)
+  }
+
+  override InferredType getType() {
+    result = def.getType()
+  }
+
+  override boolean getBooleanValue() {
+    result = def.getBooleanValue()
+  }
+
+  override PrimitiveAbstractValue toPrimitive() {
+    result = def.toPrimitive()
+  }
+
+  override predicate isCoercibleToNumber() {
+    def.isCoercibleToNumber()
+  }
+
+  override predicate isIndefinite(DataFlow::Incompleteness cause) {
+    def.isIndefinite(cause)
+  }
+
+  override DefiniteAbstractValue getAPrototype() {
+    result = def.getAPrototype()
+  }
+
+  override predicate hasLocationInfo(string f, int startline, int startcolumn, int endline, int endcolumn) {
+    def.getLocation().hasLocationInfo(f, startline, startcolumn, endline, endcolumn)
+  }
+
+  override string toString() {
+    result = def.toString()
+  }
+
+  /**
+   * Gets the definition that induces this value.
+   */
+  CustomAbstractValueDefinition getDefinition() {
+   result = def
+  }
+
+  /** Holds if this is a value whose properties the type inference tracks. */
+  predicate shouldTrackProperties() {
+    def.shouldTrackProperties()
+  }
+
+}
+
+/**
+ * A data-flow node that induces an analysis-specific abstract value.
+ *
+ * Enables modular extensions of `AbstractValue`.
+ *
+ * For performance reasons, all subclasses of this class  should be part
+ * of the standard library.
+ */
+abstract class CustomAbstractValueDefinition extends Locatable {
+
+  /**
+   * Gets the type of some concrete value represented by the induced
+   * abstract value.
+   */
+  abstract InferredType getType();
+
+  /**
+   * Gets the Boolean value that some concrete value represented by the
+   * induced abstract value coerces to.
+   */
+  abstract boolean getBooleanValue();
+
+  /**
+   * Gets an abstract primitive value the induced abstract value coerces
+   * to.
+   *
+   * This abstractly models the `ToPrimitive` coercion described in the
+   * ECMAScript language specification.
+   */
+  abstract PrimitiveAbstractValue toPrimitive();
+
+  /**
+   * Holds if the induced abstract value is coercible to a number, that
+   * is, it represents at least one concrete value for which the
+   * `ToNumber` conversion does not yield `NaN`.
+   */
+  abstract predicate isCoercibleToNumber();
+
+  /**
+   * Holds if the induced abstract value is an indefinite value arising
+   * from the incompleteness `cause`.
+   */
+  predicate isIndefinite(DataFlow::Incompleteness cause) {
+    none()
+  }
+
+  /**
+   * Gets an abstract value that represents a prototype object of the
+   * induced abstract value.
+   */
+  AbstractValue getAPrototype() {
+    exists (AbstractProtoProperty proto |
+      proto.getBase() = getAbstractValue() and
+      result = proto.getAValue()
+    )
+  }
+
+  /**
+   * Gets the induced abstract value.
+   */
+  AbstractValue getAbstractValue() {
+    result.(CustomAbstractValueFromDefinition).getDefinition() = this
+  }
+
+  /** Holds if this is a value whose properties the type inference tracks. */
+  abstract predicate shouldTrackProperties();
+
+}
+
+/**
+ * Flow analysis for custom abstract values.
+ */
+class CustomAbstractValueFromDefinitionNode extends DataFlow::AnalyzedNode, DataFlow::ValueNode {
+
+  CustomAbstractValueFromDefinition val;
+
+  CustomAbstractValueFromDefinitionNode() {
+    val = TCustomAbstractValueFromDefinition(this.getAstNode())
+  }
+
+  override AbstractValue getALocalValue() {
+    result = val
+  }
+
+}

javascript/ql/src/semmle/javascript/dataflow/internal/AbstractPropertiesImpl.qll

@@ -77,5 +77,6 @@ predicate shouldAlwaysTrackProperties(AbstractValue baseVal) {
 predicate shouldTrackProperties(AbstractValue baseVal) {
   shouldAlwaysTrackProperties(baseVal) or
   baseVal instanceof AbstractObjectLiteral or
-  baseVal instanceof AbstractInstance
+  baseVal instanceof AbstractInstance or
+  baseVal.(CustomAbstractValueFromDefinition).shouldTrackProperties()
 }

javascript/ql/src/semmle/javascript/dataflow/internal/AbstractValuesImpl.qll

@@ -6,6 +6,7 @@
 
 import semmle.javascript.dataflow.AbstractValues
 private import semmle.javascript.dataflow.InferredTypes
+import semmle.javascript.dataflow.CustomAbstractValueDefinitions
 
 /** An abstract value inferred by the flow analysis. */
 cached newtype TAbstractValue =
@@ -101,6 +102,9 @@ cached newtype TAbstractValue =
   or
   /** A custom abstract value induced by `tag`. */
   TCustomAbstractValue(CustomAbstractValueTag tag)
+  or
+  /** A custom abstract value induced by `def`. */
+  TCustomAbstractValueFromDefinition(CustomAbstractValueDefinition def)
 
 /**
  * Gets a definite abstract value with the given type.

javascript/ql/test/library-tests/CustomAbstractValueDefinitions/CustomAbstractValueDefinitions.expected

@@ -0,0 +1,2 @@
+| tst.js:4:16:4:50 | { custo ... false } | tst.js:4:16:4:50 | { custo ... false } | false | false |
+| tst.js:5:16:5:49 | { custo ...  true } | tst.js:5:16:5:49 | { custo ...  true } | false | true |

javascript/ql/test/library-tests/CustomAbstractValueDefinitions/CustomAbstractValueDefinitions.ql

@@ -0,0 +1,57 @@
+import javascript
+import semmle.javascript.dataflow.InferredTypes
+import semmle.javascript.dataflow.internal.FlowSteps as FlowSteps
+import semmle.javascript.dataflow.internal.AbstractPropertiesImpl as AbstractPropertiesImpl
+import semmle.javascript.dataflow.CustomAbstractValueDefinitions
+
+class MyCustomAbstractValueDefinition extends CustomAbstractValueDefinition {
+
+  DataFlow::ValueNode node;
+
+  MyCustomAbstractValueDefinition() {
+    DataFlow::valueNode(this) = node and
+    node instanceof DataFlow::ObjectLiteralNode and
+    exists (DataFlow::PropWrite pwn |
+      pwn.writes(node, "custom", any(BooleanLiteral l | l.getValue() = "true").flow())
+    )
+  }
+
+  override boolean getBooleanValue() {
+    result = true
+  }
+
+  override predicate isCoercibleToNumber() {
+    none()
+  }
+
+  override PrimitiveAbstractValue toPrimitive() {
+    result = TAbstractOtherString()
+  }
+
+  override InferredType getType() { result = TTObject() }
+
+  override predicate shouldTrackProperties() {
+    exists (DataFlow::PropWrite pwn |
+      pwn.writes(node, "trackProps", any(BooleanLiteral l | l.getValue() = "true").flow())
+    )
+  }
+
+}
+
+boolean flowProps(AbstractValue val) {
+  if FlowSteps::shouldTrackProperties(val) then
+    result = true
+  else
+    result = false
+}
+
+boolean typeProps(AbstractValue val) {
+  if AbstractPropertiesImpl::shouldTrackProperties(val) then
+    result = true
+  else
+    result = false
+}
+
+from MyCustomAbstractValueDefinition def, AbstractValue val
+where def.getAbstractValue() = val
+select def, val, flowProps(val), typeProps(val)

javascript/ql/test/library-tests/CustomAbstractValueDefinitions/CustomAbstractValueDefinitionsFlow.expected

@@ -0,0 +1,8 @@
+| tst.js:4:16:4:50 | { custo ... false } | tst.js:4:16:4:50 | { custo ... false } |
+| tst.js:5:16:5:49 | { custo ...  true } | tst.js:5:16:5:49 | { custo ...  true } |
+| tst.js:15:9:15:21 | result = obj3 | tst.js:4:16:4:50 | { custo ... false } |
+| tst.js:15:18:15:21 | obj3 | tst.js:4:16:4:50 | { custo ... false } |
+| tst.js:18:9:18:21 | result = obj4 | tst.js:5:16:5:49 | { custo ...  true } |
+| tst.js:18:18:18:21 | obj4 | tst.js:5:16:5:49 | { custo ...  true } |
+| tst.js:21:5:21:10 | result | tst.js:4:16:4:50 | { custo ... false } |
+| tst.js:21:5:21:10 | result | tst.js:5:16:5:49 | { custo ...  true } |

javascript/ql/test/library-tests/CustomAbstractValueDefinitions/CustomAbstractValueDefinitionsFlow.ql

@@ -0,0 +1,40 @@
+import javascript
+import semmle.javascript.dataflow.InferredTypes
+import semmle.javascript.dataflow.CustomAbstractValueDefinitions
+
+class MyCustomAbstractValueDefinition extends CustomAbstractValueDefinition {
+
+  DataFlow::ValueNode node;
+
+  MyCustomAbstractValueDefinition() {
+    DataFlow::valueNode(this) = node and
+    node instanceof DataFlow::ObjectLiteralNode and
+    exists (DataFlow::PropWrite pwn |
+      pwn.writes(node, "custom", any(BooleanLiteral l | l.getValue() = "true").flow())
+    )
+  }
+
+  override boolean getBooleanValue() {
+    result = true
+  }
+
+  override predicate isCoercibleToNumber() {
+    none()
+  }
+
+  override PrimitiveAbstractValue toPrimitive() {
+    result = TAbstractOtherString()
+  }
+
+  override InferredType getType() { result = TTObject() }
+
+  override predicate shouldTrackProperties() {
+    none()
+  }
+
+}
+
+from AnalyzedValueNode n, MyCustomAbstractValueDefinition def, CustomAbstractValueFromDefinition val
+where def.getAbstractValue() = val and
+      n.getAValue() = val
+select n, val

javascript/ql/test/library-tests/CustomAbstractValueDefinitions/tst.js

@@ -0,0 +1,22 @@
+(function() {
+    var obj1 = { custom: false, trackProps: false };
+    var obj2 = { custom: false, trackProps: true };
+    var obj3 = { custom: true, trackProps: false };
+    var obj4 = { custom: true, trackProps: true };
+
+    var result;
+    if (x1) {
+        result = obj1;
+    }
+    if (x2) {
+        result = obj2;
+    }
+    if (x3) {
+        result = obj3;
+    }
+    if (x4) {
+        result = obj4;
+    }
+
+    result;
+})();