Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JS: Follow use-use flow after a post-update #17535

Open
wants to merge 38 commits into
base: js/shared-dataflow-branch
Choose a base branch
from
Open

JS: Follow use-use flow after a post-update #17535

wants to merge 38 commits into from

Conversation

asgerf
Copy link
Contributor

@asgerf asgerf commented Sep 20, 2024
edited
Loading

Previously there was flow from a post-update node back to getALocalSource(), mirroring how side effects were tracked in the legacy data flow library. This PR changes it so use-use flow is followed after a post-update node. The use-use chain is represented as a new type of data flow node, which is hidden so as not to get confusing data flow paths.

Note however that there is still direct flow from the definition site to all uses/refinements; the use-use chain is only followed after a post-update.

The use-use chain is constructed using the shared SSA library. But we can't remove the old SSA library yet, as it is directly depended on by various components such as type inference. This is also why still have def-use flow, and only switch to use-use after a post-update.

The PR also contains some other changes that were needed to make this switch feasible:

  • Captured this is now tracked as a captured variable, alongside regular variables.
  • Implicit uses of this now have an explicit data flow node, so they can be part of the use-use chain. super calls and instance field initialisers contain an implicit this use.
  • Don't target the post-update node for stores into an object/array literal. Since these expressions may appear as an argument to a call, its associated post-update node should represent side effects in the call.

Evaluation:

  • Evaluation 1 covers all of the commits except the last, and results in:
    • 35 new TPs, mostly due to the fixes for captured variables
    • 13 fixed FPs
    • 14 new FPs (for a net gain of 1 FP)
    • A massive 72% performance improvement for vscode
    • Some regressions in a few projects, but those were recovered by the last commit, as shown in the next evaluation
  • Evaluation 2 shows the effect of the last commit in isolation, recovering the performance loss seen in evaluation 1.

@github-actions github-actions bot added the JS label Sep 20, 2024
@asgerf asgerf force-pushed the jss/use-use-flow branch 4 times, most recently from 8ffa01a to a6f18a1 Compare October 8, 2024 14:32
@asgerf
JS: Refactor some internal methods to make them easier to alias
a258489 
We need these to return the dominator instead of declaring it in the parameter list, so that we can use it directly to fulfill part of the signature for the SSA library.

We can't rewrite it with an inline predicate since the SSA module calls with a transitive closure '*', which does not permit inline predicates.
@asgerf
JS: Instantiate shared SSA library
7363b57 
JS: Remove with statement comment
@asgerf
JS: Add test case for spurious flow from lack of use-use
81e74d8
@asgerf
JS: Add use-use flow
78e961c
@asgerf
JS: Remove unused predicate
9e60042
@asgerf
JS: Move BasicBlocks.qll -> internal/BasicBlocksInternal.qll
211b42d
@asgerf
JS: Remove BasicBlockInternal module and mark relevant predicates as …
3b663bd 
…public

This exposes the predicates publicly, but will be hidden again in the next commit.
@asgerf
JS: Add Public module and only expose that
ed0af95 
Indentation will be fixed in next commit
@asgerf
JS: Fix indentation
3fca27b 
Only formatting changes
@asgerf
JS: Rename Internal -> Cached since whole file is internal now
beaacf9
@asgerf
JS: Add qldoc to file
992c144
@asgerf
JS: Add two test cases for missing flow
d626e79
@asgerf
JS: Fix store into object literals that have a post-update node
9fc99d6
@asgerf
JS: Fix post-update flow into 'this'
c3c003b
@asgerf
JS: Add test for missing flow into 'this' in field initializers
8dc0505
@asgerf
JS: introduce implicit this uses in general
d31499d
@asgerf
JS: Add test for missing capture flow for 'this'
0ebe8bd
@asgerf
JS: Use VariableOrThis in variable capture as well
12370e9
@asgerf
Fix missing flow through super calls
81af9a1
@asgerf
JS: Add TODO
67fdd86
@asgerf
JS: Make barrier guards work with use-use flow
e784813
@asgerf
JS: Cache getARead (as per instructions in the SSA library)
958602e
@asgerf
JS: Add test showing potential for FPs when handling refinement guards
16b08b7
@asgerf
JS: Block jump steps through 'this' now that the capture lib handles …
e05e077 
…'this'
@asgerf
JS: Explain false positive in test case
bd94fe1
@asgerf
Test updates from introduction of implicit 'this'
cb87494
@asgerf
JS: Update test with some post-update consistency checks gone
4473e6d 
For a constructor call, the return value acts as the post-update node for the 'this' argument. The fact that constructor calls are sometimes PostUpdateNodes causes some of these harmless alerts.

The warnings have disappeared in some cases because we no longer target getALocalSource() so the target is no longer the constructor call.
@asgerf
JS: Reveal issue with immutable.js test
c0997c2 
Fixed in the next commit
@asgerf
JS: Update immutable.js test to clarify why it stopped working
ad52b71 
The Immutable model uses the 'd' and 'f' properties to model Map content, but the test doesn't actually mention those properties, so they were missing from the PropertyName class.

The flow was previously found spuriously by the regular Map model, which also adds flow through the  get/set calls. This flow is however no longer found since it relied on a step from post-update back to getALocalSource which is no longer present.
@asgerf
JS: Change rule for getPostUpdateForStore
1efef2c 
This causes less wobbles in test outputs
@asgerf
JS: Update a test that now has more precise output
d557c76
@asgerf
JS: Add imprecise post-update steps for when a captured var/this is n…
1b85feb 
…ot tracked precisely

With the capture library we sometimes bails out of handling certain functions for scalability reasons.

This means we have a notion of "captured but imprecisely-tracked" variables and 'this'. In these cases we go back to propagating flow from a post-update node to the local source.
@asgerf
JS: Add in-barrier to XSS query
d3e70c1 
This is a bit of a bandaid to cover issues with the push() method on next/router being
treated as an array push, which causes it to flow into other taint sources.
@asgerf
JS: Add regained results in UnsafeJQueryPlugin
18b3946 
These were marked as 'NOT OK' in the test file, but weren't previously flagged for some reason
@asgerf
JS: Update CleartextLogging with fixed FP
1243188
@asgerf
JS: Updates to nodes/edges in tests
52ba91a 
Only changes to nodes/edges for various reasons, no actual result changes
@asgerf
JS: Fix missing qldoc
1e9e57e
@asgerf
JS: Only parameter-calls as lambda calls
2fb1084
@asgerf asgerf added the no-change-note-required This PR does not need a change note label Oct 29, 2024
@asgerf asgerf marked this pull request as ready for review October 29, 2024 10:49
@asgerf asgerf requested a review from a team as a code owner October 29, 2024 10:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@erik-krogh erik-krogh Awaiting requested review from erik-krogh

Assignees
No one assigned
Labels
JS no-change-note-required This PR does not need a change note
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@asgerf