Skip to content

JS: fix context sensitivity bug in store-load matching #8478

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Mar 21, 2022
Merged

JS: fix context sensitivity bug in store-load matching #8478

merged 3 commits into from
Mar 21, 2022

Conversation

asgerf
Copy link
Contributor

@asgerf asgerf commented Mar 17, 2022
edited
Loading

Background:
reachableFromStoreBase forward-tracks the base object of a store whose RHS is potentially reachable. If the RHS of that store is only reachable with call steps, we do not permit the base object to be tracked out of a return edge, as it would lead to wasted work (i.e. we want to prune infeasible flows early).

However, it turns out we tried to used the same call bit for two different purposes:

  1. Were call steps used to reach the store RHS? (needed for pruning)
  2. Did we use a call step while tracking the base object? (needed for context sensitivity)

This PR adds a new boolean parameter to track (1), while the boolean in the PathSummary corresponds to (2).

Evaluation looks ok. The new results are uninteresting and most likely FPs, although it's hard to triage. I've confirmed that the flow steps enabled by this PR are correct in isolation, but the final path contain some spurious flow caused by imprecise handling of array indices and captured variables.

@asgerf asgerf added JS Awaiting evaluation Do not merge yet, this PR is waiting for an evaluation to finish labels Mar 17, 2022
@asgerf asgerf force-pushed the js/store-load-flow-context-sensitivity-bug branch from ef5d6e8 to 8753632 Compare March 17, 2022 16:30
@asgerf asgerf removed the Awaiting evaluation Do not merge yet, this PR is waiting for an evaluation to finish label Mar 18, 2022
@asgerf asgerf marked this pull request as ready for review March 18, 2022 11:00
@asgerf asgerf requested a review from a team as a code owner March 18, 2022 11:00
erik-krogh
erik-krogh approved these changes Mar 21, 2022
View reviewed changes
Copy link
Contributor

@erik-krogh erik-krogh left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice 👍

And thanks for the description you wrote as part of this PR. It helped.

@codeql-ci codeql-ci merged commit b04c46f into github:main Mar 21, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@erik-krogh erik-krogh erik-krogh approved these changes

Assignees
No one assigned
Labels
documentation JS
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@asgerf @erik-krogh @codeql-ci