no literal callback for top-level function declarations in eval'd string

[msridhar]

Consider the following script:

eval("function u(s) { console.log(s); } u(\"Hello\");");

When executing the instrumented version of the script, here is the instrumented code that I see for the eval'd string:

function u(s) {
    jalangiLabel0:
        while (true) {
            try {
                J$.Fe(37, arguments.callee, this, arguments);
                arguments = J$.N(45, 'arguments', arguments, true, false, false);
                s = J$.N(53, 's', s, true, false, false);
                J$.M(29, J$.I(typeof console === 'undefined' ? console = J$.R(13, 'console', undefined, true, true) : console = J$.R(13, 'console', console, true, true)), 'log', false)(J$.R(21, 's', s, false, false));
            } catch (J$e) {
                J$.Ex(85, J$e);
            } finally {
                if (J$.Fr(93))
                    continue jalangiLabel0;
                else
                    return J$.Ra();
            }
        }
}
J$.F(77, J$.R(61, 'u', u, false, true), false)(J$.T(69, 'Hello', 21, false));

The bug is that there is no J$.T call corresponding to the creation of the function u. This leads to my analysis seeing the functionEnter callback for the call to u without ever having seen a literal callback for u, which is problematic.

[ksen007]

var f = eval("function u(s) { console.log(s); } u("Hello");");

won't work if I add the call to J$.N and J$.T as a statement before the function definition.

On Nov 20, 2014, at 4:34 PM, Manu Sridharan notifications@github.com wrote:

Consider the following script:

eval("function u(s) { console.log(s); } u("Hello");");
When executing the instrumented version of the script, here is the instrumented code that I see for the eval'd string:

function u(s) {
jalangiLabel0:
while (true) {
try {
J$.Fe(37, arguments.callee, this, arguments);
arguments = J$.N(45, 'arguments', arguments, true, false, false);
s = J$.N(53, 's', s, true, false, false);
J$.M(29, J$.I(typeof console === 'undefined' ? console = J$.R(13, 'console', undefined, true, true) : console = J$.R(13, 'console', console, true, true)), 'log',
false)(J$.R(21, 's', s, false, false));
} catch (J$e) {
J$.Ex(85, J$e);
} finally {
if (J$.Fr(93))
continue jalangiLabel0;
else
return J$.Ra();
}
}
}
J$.F(77, J$.R(61, 'u', u, false, true), false)(J$.T(69, 'Hello', 21, false));
The bug is that there is no J$.T call corresponding to the creation of the function u. This leads to my analysis seeing the functionEnter callback for the call to u without ever having seen a literal callback for u, which is problematic.

—
Reply to this email directly or view it on GitHub #82.

[msridhar]

I'm not sure what the right fix is here. But if we can at least add the J$.T callback somewhere that would be very helpful, at least for my analysis. J$.N would be good too, but it's not quite as important.

[esbena]

won't work if I add the call to J$.N and J$.T as a statement before the function definition.

Is the issue the requirement for an expression context?
If so, the following hack with an extra eval and a sequence expression should work.

(without instrumentation first)

var f = (eval("var u"), u = function u(s) { console.log(s); }, u("Hello"));

With instrumentation:

var f = (eval("var u"), 
            u = J$.T(..., function u(s) {...}, ), 
            u = J$.N(..., u), 
            J$.F(..., J$.R(...u...), ..., J$.T(...)));

[msridhar]

To confirm, this bug is fixed in jalangi2.