JS: Explain false positive in test case

asgerf · asgerf · commit bd94fe1574f3 · 2024-10-29T08:31:58.000+01:00
diff --git a/javascript/ql/test/library-tests/TripleDot/useuse.js b/javascript/ql/test/library-tests/TripleDot/useuse.js
@@ -163,6 +163,8 @@ function t9() { // same as t8 but with a SanitizerGuard that isn't just a variab
         }
 
         if (typeof obj === "undefined" || typeof obj === "undefined") {
+            // The shared SSA library expects short-circuiting operators be pre-order in the CFG,
+            // but in JS they are post-order (as per evaluation order).
             sink(obj.field); // $ SPURIOUS: hasTaintFlow=t9.1
         } else {
             sink(obj.field); // $ hasTaintFlow=t9.1

Original file line number	Diff line number	Diff line change
`@@ -163,6 +163,8 @@ function t9() { // same as t8 but with a SanitizerGuard that isn't just a variab`
`163`	`163`	`}`
`164`	`164`
`165`	`165`	`if (typeof obj === "undefined" \|\| typeof obj === "undefined") {`
	`166`	`+ // The shared SSA library expects short-circuiting operators be pre-order in the CFG,`
	`167`	`+ // but in JS they are post-order (as per evaluation order).`
`166`	`168`	`sink(obj.field); // $ SPURIOUS: hasTaintFlow=t9.1`
`167`	`169`	`} else {`
`168`	`170`	`sink(obj.field); // $ hasTaintFlow=t9.1`