aurore54f / static-pdg-js Goto Github PK

Hi Aurore,

I notice there may be a bug leading to insufficient data flow relations. Here is an example:

1 function demo(flag){
2   if(flag){
3        return true;
4   }
5    else{
6       return false;
7    }
8  }
9  var this_flag = "1".toString(); // this_flag could be anything, we don't know its value when statically analyzing
10 var test_var;
11  if(demo(this_flag)){
12   console.log(test_var);
13  }
14  else{
15    console.log(test_var);
16 }

The variable test_var in line 10 has two data dependency children in line 12 and line 15. However, in the output dfg there is only one of them, which is the child test_var in line 15.

I suppose the problems comes from line 880 in data_flow.py

    return_value = None
    if function_def.fun_return:
           return_value = get_node_value(function_def.fun_return[-1], initial_node=node) #Here 
        # Last in, only one out
        # Beware, NOT get_node_computed_value because we want to compute the value again: the
        # previously stored value is the returned value hard coded in the function def before exec
    logging.debug('The function %s returns %s', function_name, return_value)
    node.set_value(return_value)

where you aggressively pop the last return value. However, the function demo may return two different values(true or false) according to parameter flag.
When we don't know the actual value of this parameter, the return value of demo(this_flag) in line 11 should be set to None instead of false. As the program always fetches the last value (i.e. false) in the func_return, code in true branch(line 12 in this case) would never be analyzed.

Thank you for your time and attention, and for providing such a valuable tool to the community. I look forward to hearing back from you soon.

Best regards,
Yifan