CodeQL library for JavaScript/TypeScript
codeql/javascript-all 2.1.1-dev (changelog, source)
Index
Search

Member predicate DataFlow::TypeBackTracker::smallstep

Gets the summary that corresponds to having taken a backwards local, heap and/or inter-procedural step from succ to pred.

Unlike TypeBackTracker::step, this predicate exposes all edges in the flowgraph, and not just the edges between SourceNodes. It may therefore be less performant.

Type tracking predicates using small steps typically take the following form:

DataFlow::Node myType(DataFlow::TypeBackTracker t) {
  t.start() and
  result = < some API call >.getArgument(< n >)
  or
  exists (DataFlow::TypeBackTracker t2 |
    t2 = t.smallstep(result, myType(t2))
  )
}

DataFlow::Node myType() {
  result = myType(DataFlow::TypeBackTracker::end())
}
TypeBackTracker smallstep(Node pred, Node succ)