JS: Handle implicit return in getImmediatePredecessor

asger-semmle · asger-semmle · commit 5397da757968 · 2019-08-02T20:35:22.000+01:00
diff --git a/javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll b/javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll
@@ -166,11 +166,7 @@ module DataFlow {
      * Gets the immediate predecessor of this node, if any.
      *
      * A node with an immediate predecessor can usually only have the value that flows
-     * into its from its immediate predecessor, currently with one exception:
-     *
-     * - An immediately-invoked function expression with a single return expression `e`
-     *   has `e` as its immediate predecessor, even if the function can fall over the
-     *   end and return `undefined`.
+     * into its from its immediate predecessor.
      */
     cached
     DataFlow::Node getImmediatePredecessor() {
@@ -190,11 +186,11 @@ module DataFlow {
       )
       or
       // IIFE call -> return value of IIFE
-      // Note: not sound in case function falls over end and returns 'undefined'
       exists(Function fun |
         localCall(this.asExpr(), fun) and
         result = fun.getAReturnedExpr().flow() and
-        strictcount(fun.getAReturnedExpr()) = 1
+        strictcount(fun.getAReturnedExpr()) = 1 and
+        not fun.getExit().isJoin() // can only reach exit by the return statement
       )
     }
   }
diff --git a/javascript/ql/test/query-tests/Statements/UselessComparisonTest/implicitReturn.js b/javascript/ql/test/query-tests/Statements/UselessComparisonTest/implicitReturn.js
@@ -0,0 +1,6 @@
+function test() {
+  let x = (function() {
+    if (g) return 5;
+  })();
+  if (x + 1 < 5) {} // OK
+}

Original file line number	Diff line number	Diff line change
`@@ -166,11 +166,7 @@ module DataFlow {`
`166`	`166`	`* Gets the immediate predecessor of this node, if any.`
`167`	`167`	`*`
`168`	`168`	`* A node with an immediate predecessor can usually only have the value that flows`
`169`		`- * into its from its immediate predecessor, currently with one exception:`
`170`		`- *`
`171`		- * - An immediately-invoked function expression with a single return expression `e`
`172`		- * has `e` as its immediate predecessor, even if the function can fall over the
`173`		- * end and return `undefined`.
	`169`	`+ * into its from its immediate predecessor.`
`174`	`170`	`*/`
`175`	`171`	`cached`
`176`	`172`	`DataFlow::Node getImmediatePredecessor() {`
`@@ -190,11 +186,11 @@ module DataFlow {`
`190`	`186`	`)`
`191`	`187`	`or`
`192`	`188`	`// IIFE call -> return value of IIFE`
`193`		`- // Note: not sound in case function falls over end and returns 'undefined'`
`194`	`189`	`exists(Function fun \|`
`195`	`190`	`localCall(this.asExpr(), fun) and`
`196`	`191`	`result = fun.getAReturnedExpr().flow() and`
`197`		`- strictcount(fun.getAReturnedExpr()) = 1`
	`192`	`+ strictcount(fun.getAReturnedExpr()) = 1 and`
	`193`	`+ not fun.getExit().isJoin() // can only reach exit by the return statement`
`198`	`194`	`)`
`199`	`195`	`}`
`200`	`196`	`}`