JS: Fix jump steps generated by IIFEs and exception flow #18043
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
We generate local flow steps into and out of IIFEs, but these come jump steps automatically, resulting in FPs.
Bailing out can be more expensive as the resulting jump steps themselves cause perf issues. The limit of 100 variables per scope has also been added in the interim, which handles the cases that this needed to cover.
Previously a few Promise-related methods were special-cased, which is no longer needed.
We previously caught this flow because of a heuristic in capture flow. We'll have to fix it properly later.
The VariableCapture library consumes one component of the access path limit, which means we lose this result
erik-krogh
approved these changes
Nov 25, 2024
| @@ -20,7 +21,11 @@ module InsecureRandomnessConfig implements DataFlow::ConfigSig { | |||
|
|
|||
| predicate isSink(DataFlow::Node sink) { sink instanceof Sink } | |||
|
|
|||
| predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } | |||
| predicate isBarrier(DataFlow::Node node) { | |||
There was a problem hiding this comment.
This doesn't seem to be tested?
A test should probably also test d1c9e47.
| /** | ||
| * Holds if `node1 -> node2` should be removed as a jump step. | ||
| * | ||
| * Currently this is done as a workaround for the local steps generated from IIFEs. |
There was a problem hiding this comment.
"Currently"?
Is that hinting towards plans for a another solution in the future?
There was a problem hiding this comment.
In general this predicate can populated with jump steps that should be excluded, and currently the only use-case for this is the workaround mentioned. So it was meant to imply that other things could get added to the predicate as well.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR fixes a few semi-related issues that caused performance and precision problems:
Immediately-invoked function expressions (IIFEs)
Removes jump steps generated by local flow into and out of immediately-invoked function expressions (IIFEs), and fixes some bugs so that the same flow is now handled by regular flow rules. IIFEs are special-cased in the local flow relation, which benefits things like type tracking and type inference, but is unhelpful for the data flow library.
Exceptions
Removes jump steps resulting from exception-propagating flow steps involving callbacks. Exceptions from callbacks passed to a library function are now handled as follows:
Argument[0..].ReturnValue[exception]toReturnValue[exception].ReturnValue[exception], the summary is assumed to propagate the exceptions from each callback mentioned in the summary. (This isn't equivalent to adding the exception propagator as an additional target, because flow-through from a parameter to the exceptional return wouldn't work in that case).Block flow into test cases
js/insecure-randomnessnow blocks flow through test cases. Perhaps more queries ought to do this, but it seems particularly problematic for this query. Also broadens our classifications of test files a bit.Evaluation:
vscodejs/insecure-randomnessEvaluation against main shows that we're down to a median 30% slowdown, with a 141% worst-case slowdown.