Skip to content

JS: reintroduce js/server-crash #4951

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 9 commits into from
Jan 22, 2021
Merged

JS: reintroduce js/server-crash #4951

merged 9 commits into from
Jan 22, 2021

Conversation

esbena
Copy link
Contributor

@esbena esbena commented Jan 13, 2021

This closes https://github.com/github/codeql-javascript-team/issues/188 by rewriting the reverted js/server-crash - see original PR and its revert.

The core idea remains the same, but there are two major implementation changes:

  • the callgraph is now traversed with type-tracking like predicates instead of explicit transitive closures
  • the query is a @kind path-problem query that uses the path to explain how the exception connects to the async call back and the route handler
    • please consider the usability of this thoroughly since this is the first path explanation that is not about data flow

Sample run: https://lgtm.com/query/4927397113480631507/. To view a path explanation in vscode, try the eclipse/orion.client database.

The qhelp is still missing. Lets first agree that we believe in the current formulation of the query.

For the record, there is plenty of future work for this query. See https://github.com/github/codeql-javascript-team/issues/105.

@esbena esbena added the JS label Jan 13, 2021
@esbena esbena requested review from mchammer01 and a team as code owners January 13, 2021 07:29
erik-krogh
erik-krogh reviewed Jan 13, 2021
View reviewed changes
Copy link
Contributor

@erik-krogh erik-krogh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The approach sounds good to me, and I also like the use of path-problem to show how the exception throw relates to the route handler.

I think we could consider hiding the mid-nodes that are function-nodes.
E.g. looking at eclipse/orion.client, the function writeResponse takes a lot of space, without really contributing.

Just a single suggestion (in two parts) explicitly stating that invokedByRouteHandler can pass through try-catch statements.

@esbena esbena removed the request for review from mchammer01 January 13, 2021 21:47
@esbena esbena marked this pull request as draft January 13, 2021 22:28
@esbena esbena force-pushed the js/reintroduce-server-crash branch 4 times, most recently from fc1fdf9 to ad2e062 Compare January 18, 2021 20:41
@esbena esbena force-pushed the js/reintroduce-server-crash branch from ad2e062 to 5688d8b Compare January 19, 2021 08:09
@esbena esbena force-pushed the js/reintroduce-server-crash branch from 7724274 to 5a6e692 Compare January 21, 2021 07:43
@esbena
Copy link
Contributor Author

esbena commented Jan 21, 2021

Lets try again - I had to do another rewrite 🙄
The qhelp is also available now.

Presentation

(see this 236-run)

The approach sounds good to me, and I also like the use of path-problem to show how the exception throw relates to the route handler.

We only present the exception path now, the path from the thrower to the callback is a data flow path, and the path from the asynchronous call to the route handler is a control flow path, and it can become quite confusing for the reader to traverse a path with two kinds of flow. Besides, I found that there is a context sensitivity requirement that makes the edges relation more complex to compute if the asynchronous call is a mandatory mid-node.

I think we could consider hiding the mid-nodes that are function-nodes.

I went back and forth on this, ultimately I found it more useful (albeit verbose) to have the function nodes in the path.

Performance

After a LGTM-run-on-all and a few optimizations, I have not observed any of the slowest project to require more than 100 seconds of analysis locally.

The speed is backed by a unstable dist-compare for js/xss vs js/xss + js/server-crash.

I had to do another rewrite to handle performance and presentation.

@esbena esbena marked this pull request as ready for review January 21, 2021 09:24
erik-krogh
erik-krogh reviewed Jan 21, 2021
View reviewed changes
Copy link
Contributor

@erik-krogh erik-krogh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A few nits, but otherwise it looks fine to me.

@codeql-ci codeql-ci merged commit 527c415 into github:main Jan 22, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@erik-krogh erik-krogh erik-krogh approved these changes

Assignees
No one assigned
Labels
documentation JS
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@esbena @erik-krogh @codeql-ci