Uploaded image for project: 'Product Roadmaps'
  1. Product Roadmaps
  2. MMF-712

JS X-Proc first step: single function return constraint based on parameters' constraints


    • Type: MMF
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Fix Version/s: None
    • Labels:


      This MMF is meant to be a baby step towards the goal of cross-procedural symbolic execution in JavaScript.

      Mainly driven by the closure nature of all JS functions and their dynamic definition, the overall idea of cross-procedural SE is to imitate "real life":

      • executing a JavaScript script means starting from its top level (the global scope)
      • executing all the function invocations which are encountered

      The scope of this MMF includes the following functionalities:

      • do not execute global scope (script body)
      • during the execution of a function body, proceed with "nested" execution of resolvable functions
      • note that currently we are only able to resolve function calls to the functions declared inside the analysed function
      • "nested" execution is aware of constraints on parameters (by mapping them with arguments of call expression)
      • "nested" execution happens without the knowledge of variables declared in the outer scopes
      • we use the return value constraint in analysed function as a result of the call expression (if "nested" execution creates several return value constraints we use an "or" operation to merge them)

      Here is an example:

      function outside(p) {
         return (p ? 42 : null);
      function foo() {
        var bar = function (p) { // we call this function with number
           function foobar() { return (p ? 42 : 24); }
           if (p == null) {
              return null; // this branch is not executed
           } else {
              return foobar(); // we should be able to resolve that "foobar()" returns a number
        var unknown = outside(42); // execution of this function is not covered by this MMF, as we can't resolve declarations from outside
        var x = bar(42);  // execution of "bar" in the scope of this MMF, we should be able to resolve that "bar(...)" returns a number
        x.foo(); // we should be able to detect TypeError on this line as "x" is number and "x.foo" is "undefined"

      Possible next steps:

      • if "nested" execution creates several return value constraints we branch execution in analysed function
      • try to resolve function declarations from outer scopes


          Issue Links



              • Assignee:
                jeanchristophe.collet Jean-Christophe Collet (Inactive)
                elena.vilchik Elena Vilchik
              • Votes:
                0 Vote for this issue
                2 Start watching this issue


                • Created: