circle-ir 3.16.7 → 3.17.0

package/dist/browser/circle-ir.js

@@ -12735,6 +12735,8 @@ var ExpressionEvaluator = class {
     this.source = source;
     this.getSymbol = getSymbol;
   }
+  source;
+  getSymbol;
   /**
    * Evaluate an expression node to determine its constant value.
    */
@@ -17499,6 +17501,76 @@ var BashPlugin = class extends BaseLanguagePlugin {
   }
 };
 
+// src/languages/plugins/html.ts
+var HtmlPlugin = class extends BaseLanguagePlugin {
+  id = "html";
+  name = "HTML";
+  extensions = [".html", ".htm", ".xhtml"];
+  wasmPath = "tree-sitter-html.wasm";
+  nodeTypes = {
+    // HTML has no OOP constructs
+    classDeclaration: [],
+    interfaceDeclaration: [],
+    enumDeclaration: [],
+    functionDeclaration: [],
+    methodDeclaration: [],
+    // No expressions in HTML
+    methodCall: [],
+    functionCall: [],
+    assignment: [],
+    variableDeclaration: [],
+    // No parameters
+    parameter: [],
+    argument: [],
+    // No annotations
+    annotation: [],
+    decorator: [],
+    // No imports
+    importStatement: [],
+    // No control flow
+    ifStatement: [],
+    forStatement: [],
+    whileStatement: [],
+    tryStatement: [],
+    returnStatement: []
+  };
+  detectFramework(_context) {
+    return void 0;
+  }
+  getBuiltinSources() {
+    return [];
+  }
+  getBuiltinSinks() {
+    return [];
+  }
+  getReceiverType(_node, _context) {
+    return void 0;
+  }
+  isStringLiteral(node) {
+    return node.type === "attribute_value" || node.type === "quoted_attribute_value";
+  }
+  getStringValue(node) {
+    if (!this.isStringLiteral(node)) return void 0;
+    const text = node.text;
+    if (text.startsWith('"') && text.endsWith('"') || text.startsWith("'") && text.endsWith("'")) {
+      return text.slice(1, -1);
+    }
+    return text;
+  }
+  extractTypes(_context) {
+    return [];
+  }
+  extractCalls(_context) {
+    return [];
+  }
+  extractImports(_context) {
+    return [];
+  }
+  extractPackage(_context) {
+    return void 0;
+  }
+};
+
 // src/languages/plugins/index.ts
 function registerBuiltinPlugins() {
   registerLanguage(new JavaPlugin());
@@ -17506,6 +17578,7 @@ function registerBuiltinPlugins() {
   registerLanguage(new PythonPlugin());
   registerLanguage(new RustPlugin());
   registerLanguage(new BashPlugin());
+  registerLanguage(new HtmlPlugin());
 }
 
 // src/utils/logger.ts
@@ -17571,6 +17644,499 @@ var logger = {
   }
 };
 
+// src/analysis/html/html-extractor.ts
+var EVENT_HANDLER_ATTRS = /* @__PURE__ */ new Set([
+  "onclick",
+  "ondblclick",
+  "onmousedown",
+  "onmouseup",
+  "onmouseover",
+  "onmousemove",
+  "onmouseout",
+  "onmouseenter",
+  "onmouseleave",
+  "onkeydown",
+  "onkeyup",
+  "onkeypress",
+  "onfocus",
+  "onblur",
+  "onchange",
+  "oninput",
+  "onsubmit",
+  "onreset",
+  "onload",
+  "onerror",
+  "onabort",
+  "onresize",
+  "onscroll",
+  "oncontextmenu",
+  "ondrag",
+  "ondrop",
+  "oncopy",
+  "onpaste",
+  "oncut",
+  "ontouchstart",
+  "ontouchend",
+  "ontouchmove",
+  "onanimationend",
+  "onanimationstart",
+  "ontransitionend"
+]);
+function extractHtmlContent(rootNode) {
+  const scriptBlocks = [];
+  const eventHandlers = [];
+  walkNode(rootNode, scriptBlocks, eventHandlers);
+  return { scriptBlocks, eventHandlers };
+}
+function walkNode(node, scriptBlocks, eventHandlers) {
+  if (node.type === "script_element") {
+    extractScriptBlock(node, scriptBlocks);
+  }
+  if (node.type === "element" || node.type === "self_closing_tag") {
+    extractEventHandlers(node, eventHandlers);
+  }
+  for (let i2 = 0; i2 < node.childCount; i2++) {
+    const child = node.child(i2);
+    if (child) {
+      walkNode(child, scriptBlocks, eventHandlers);
+    }
+  }
+}
+function extractScriptBlock(scriptNode, scriptBlocks) {
+  const startTag = scriptNode.childForFieldName("start_tag") ?? findChildByType2(scriptNode, "start_tag");
+  const src = getAttributeValue(startTag, "src");
+  if (src) {
+    scriptBlocks.push({
+      code: "",
+      lineOffset: scriptNode.startPosition.row + 1,
+      kind: "external-src",
+      src,
+      scriptType: getAttributeValue(startTag, "type") ?? getAttributeValue(startTag, "lang")
+    });
+    return;
+  }
+  const rawText = findChildByType2(scriptNode, "raw_text");
+  if (rawText && rawText.text.trim()) {
+    scriptBlocks.push({
+      code: rawText.text,
+      lineOffset: rawText.startPosition.row + 1,
+      kind: "inline",
+      scriptType: getAttributeValue(startTag, "type") ?? getAttributeValue(startTag, "lang")
+    });
+  }
+}
+function extractEventHandlers(elementNode, eventHandlers) {
+  const tagName = getTagName(elementNode);
+  const tag = elementNode.type === "self_closing_tag" ? elementNode : findChildByType2(elementNode, "start_tag");
+  if (!tag) return;
+  for (let i2 = 0; i2 < tag.childCount; i2++) {
+    const child = tag.child(i2);
+    if (!child || child.type !== "attribute") continue;
+    const nameNode = findChildByType2(child, "attribute_name");
+    if (!nameNode) continue;
+    const attrName = nameNode.text.toLowerCase();
+    if (!EVENT_HANDLER_ATTRS.has(attrName)) continue;
+    const valueNode = findChildByType2(child, "quoted_attribute_value") ?? findChildByType2(child, "attribute_value");
+    if (!valueNode) continue;
+    const code = stripQuotes(valueNode.text);
+    if (code) {
+      eventHandlers.push({
+        code,
+        eventName: attrName,
+        line: child.startPosition.row + 1,
+        element: tagName
+      });
+    }
+  }
+}
+function getTagName(node) {
+  if (node.type === "self_closing_tag") {
+    const tagNameNode = findChildByType2(node, "tag_name");
+    return tagNameNode?.text ?? "unknown";
+  }
+  const startTag = findChildByType2(node, "start_tag");
+  if (startTag) {
+    const tagNameNode = findChildByType2(startTag, "tag_name");
+    return tagNameNode?.text ?? "unknown";
+  }
+  return "unknown";
+}
+function getAttributeValue(tag, name2) {
+  if (!tag) return void 0;
+  for (let i2 = 0; i2 < tag.childCount; i2++) {
+    const child = tag.child(i2);
+    if (!child || child.type !== "attribute") continue;
+    const nameNode = findChildByType2(child, "attribute_name");
+    if (nameNode?.text.toLowerCase() === name2) {
+      const valueNode = findChildByType2(child, "quoted_attribute_value") ?? findChildByType2(child, "attribute_value");
+      return valueNode ? stripQuotes(valueNode.text) : "";
+    }
+  }
+  return void 0;
+}
+function findChildByType2(node, type) {
+  for (let i2 = 0; i2 < node.childCount; i2++) {
+    const child = node.child(i2);
+    if (child?.type === type) return child;
+  }
+  return null;
+}
+function stripQuotes(text) {
+  if (text.startsWith('"') && text.endsWith('"') || text.startsWith("'") && text.endsWith("'")) {
+    return text.slice(1, -1);
+  }
+  return text;
+}
+
+// src/analysis/html/html-attribute-security-pass.ts
+function runHtmlAttributeSecurityChecks(rootNode, filePath) {
+  const findings = [];
+  walkForSecurityChecks(rootNode, filePath, findings);
+  return findings;
+}
+function walkForSecurityChecks(node, filePath, findings) {
+  if (node.type === "element" || node.type === "self_closing_tag" || node.type === "script_element" || node.type === "style_element") {
+    checkElement(node, filePath, findings);
+  }
+  for (let i2 = 0; i2 < node.childCount; i2++) {
+    const child = node.child(i2);
+    if (child) {
+      walkForSecurityChecks(child, filePath, findings);
+    }
+  }
+}
+function checkElement(node, filePath, findings) {
+  const tagName = getTagName(node).toLowerCase();
+  const tag = node.type === "self_closing_tag" ? node : findChildByType2(node, "start_tag");
+  if (!tag) return;
+  const line = tag.startPosition.row + 1;
+  const snippet = tag.text.length > 120 ? tag.text.slice(0, 120) + "..." : tag.text;
+  if (tagName === "a") {
+    checkMissingNoopener(tag, filePath, line, snippet, findings);
+  }
+  checkJavascriptUri(tag, filePath, line, snippet, findings);
+  if (tagName === "iframe") {
+    checkMissingSandbox(tag, filePath, line, snippet, findings);
+  }
+  if (["script", "link", "img", "iframe", "video", "audio", "source", "object", "embed"].includes(tagName)) {
+    checkMixedContent(tag, tagName, filePath, line, snippet, findings);
+  }
+  if (tagName === "script" || tagName === "link") {
+    checkMissingSri(tag, tagName, filePath, line, snippet, findings);
+  }
+  if (tagName === "input") {
+    checkAutocompleteSensitive(tag, filePath, line, snippet, findings);
+  }
+  checkInlineEventHandlers(tag, filePath, line, findings);
+  if (tagName === "form") {
+    checkFormActionJavascript(tag, filePath, line, snippet, findings);
+  }
+}
+function checkMissingNoopener(tag, filePath, line, snippet, findings) {
+  const target = getAttributeValue(tag, "target");
+  if (target !== "_blank") return;
+  const rel = getAttributeValue(tag, "rel")?.toLowerCase() ?? "";
+  if (rel.includes("noopener") || rel.includes("noreferrer")) return;
+  findings.push({
+    id: `html-missing-noopener-${filePath}-${line}`,
+    pass: "html-missing-noopener",
+    category: "security",
+    rule_id: "html-missing-noopener",
+    cwe: "CWE-1022",
+    severity: "medium",
+    level: "warning",
+    message: '<a target="_blank"> is missing rel="noopener" \u2014 may allow reverse tabnapping',
+    file: filePath,
+    line,
+    snippet
+  });
+}
+function checkJavascriptUri(tag, filePath, line, snippet, findings) {
+  for (const attr of ["href", "src", "action"]) {
+    const value = getAttributeValue(tag, attr);
+    if (value && value.trim().toLowerCase().startsWith("javascript:")) {
+      findings.push({
+        id: `html-javascript-uri-${filePath}-${line}-${attr}`,
+        pass: "html-javascript-uri",
+        category: "security",
+        rule_id: "html-javascript-uri",
+        cwe: "CWE-79",
+        severity: "high",
+        level: "error",
+        message: `${attr}="javascript:..." is an XSS vector \u2014 use event listeners instead`,
+        file: filePath,
+        line,
+        snippet
+      });
+    }
+  }
+}
+function checkMissingSandbox(tag, filePath, line, snippet, findings) {
+  const sandbox = getAttributeValue(tag, "sandbox");
+  if (sandbox !== void 0) return;
+  findings.push({
+    id: `html-missing-sandbox-${filePath}-${line}`,
+    pass: "html-missing-sandbox",
+    category: "security",
+    rule_id: "html-missing-sandbox",
+    cwe: "CWE-1021",
+    severity: "medium",
+    level: "warning",
+    message: "<iframe> without sandbox attribute \u2014 embedded content has full privileges",
+    file: filePath,
+    line,
+    snippet
+  });
+}
+function checkMixedContent(tag, tagName, filePath, line, snippet, findings) {
+  const attrName = tagName === "link" ? "href" : "src";
+  const value = getAttributeValue(tag, attrName);
+  if (!value || !value.startsWith("http://")) return;
+  findings.push({
+    id: `html-mixed-content-${filePath}-${line}`,
+    pass: "html-mixed-content",
+    category: "security",
+    rule_id: "html-mixed-content",
+    cwe: "CWE-319",
+    severity: "medium",
+    level: "warning",
+    message: `Loading resource over HTTP (${attrName}="${truncate(value, 60)}") \u2014 use HTTPS to prevent MITM`,
+    file: filePath,
+    line,
+    snippet
+  });
+}
+function checkMissingSri(tag, tagName, filePath, line, snippet, findings) {
+  const url = tagName === "script" ? getAttributeValue(tag, "src") : getAttributeValue(tag, "href");
+  if (!url) return;
+  if (!url.startsWith("http://") && !url.startsWith("https://") && !url.startsWith("//")) return;
+  if (tagName === "link") {
+    const rel = getAttributeValue(tag, "rel")?.toLowerCase();
+    if (rel !== "stylesheet") return;
+  }
+  const integrity = getAttributeValue(tag, "integrity");
+  if (integrity) return;
+  findings.push({
+    id: `html-missing-sri-${filePath}-${line}`,
+    pass: "html-missing-sri",
+    category: "security",
+    rule_id: "html-missing-sri",
+    cwe: "CWE-353",
+    severity: "medium",
+    level: "warning",
+    message: `External ${tagName === "script" ? "script" : "stylesheet"} without integrity attribute \u2014 vulnerable to CDN compromise`,
+    file: filePath,
+    line,
+    snippet
+  });
+}
+function checkAutocompleteSensitive(tag, filePath, line, snippet, findings) {
+  const type = getAttributeValue(tag, "type")?.toLowerCase();
+  const name2 = getAttributeValue(tag, "name")?.toLowerCase() ?? "";
+  const isSensitive = type === "password" || /\b(ssn|social.?security|credit.?card|card.?number|cvv|cvc|ccv)\b/.test(name2);
+  if (!isSensitive) return;
+  const autocomplete = getAttributeValue(tag, "autocomplete")?.toLowerCase();
+  if (autocomplete === "off" || autocomplete === "new-password") return;
+  findings.push({
+    id: `html-autocomplete-sensitive-${filePath}-${line}`,
+    pass: "html-autocomplete-sensitive",
+    category: "security",
+    rule_id: "html-autocomplete-sensitive",
+    cwe: "CWE-525",
+    severity: "low",
+    level: "note",
+    message: 'Sensitive input field without autocomplete="off" \u2014 browser may cache sensitive data',
+    file: filePath,
+    line,
+    snippet
+  });
+}
+function checkInlineEventHandlers(tag, filePath, line, findings) {
+  for (let i2 = 0; i2 < tag.childCount; i2++) {
+    const child = tag.child(i2);
+    if (!child || child.type !== "attribute") continue;
+    const nameNode = findChildByType2(child, "attribute_name");
+    if (!nameNode) continue;
+    const attrName = nameNode.text.toLowerCase();
+    if (attrName.startsWith("on") && attrName.length > 2) {
+      const attrLine = child.startPosition.row + 1;
+      findings.push({
+        id: `html-inline-event-handler-${filePath}-${attrLine}-${attrName}`,
+        pass: "html-inline-event-handler",
+        category: "security",
+        rule_id: "html-inline-event-handler",
+        cwe: "CWE-79",
+        severity: "low",
+        level: "note",
+        message: `Inline ${attrName} handler \u2014 incompatible with strict Content Security Policy; use addEventListener() instead`,
+        file: filePath,
+        line: attrLine,
+        snippet: child.text
+      });
+    }
+  }
+}
+function checkFormActionJavascript(tag, filePath, line, snippet, findings) {
+  const action = getAttributeValue(tag, "action");
+  if (!action || !action.trim().toLowerCase().startsWith("javascript:")) return;
+  findings.push({
+    id: `html-form-action-javascript-${filePath}-${line}`,
+    pass: "html-form-action-javascript",
+    category: "security",
+    rule_id: "html-form-action-javascript",
+    cwe: "CWE-79",
+    severity: "high",
+    level: "error",
+    message: '<form action="javascript:..."> is an XSS vector \u2014 use proper form submission',
+    file: filePath,
+    line,
+    snippet
+  });
+}
+function truncate(s, maxLen) {
+  return s.length > maxLen ? s.slice(0, maxLen) + "..." : s;
+}
+
+// src/analysis/html/html-merge.ts
+function mergeHtmlResults(htmlMeta, scriptResults, attributeFindings) {
+  const allTypes = [];
+  const allCalls = [];
+  const allCfgBlocks = [];
+  const allCfgEdges = [];
+  const allDfgDefs = [];
+  const allDfgUses = [];
+  const allSources = [];
+  const allSinks = [];
+  const allSanitizers = [];
+  const allImports = [];
+  const allExports = [];
+  const allFindings = [];
+  let cfgBlockIdOffset = 0;
+  let dfgDefIdOffset = 0;
+  let dfgUseIdOffset = 0;
+  for (const { ir, lineOffset } of scriptResults) {
+    const lineShift = lineOffset - 1;
+    const htmlFile = htmlMeta.file;
+    for (const type of ir.types) {
+      allTypes.push({
+        ...type,
+        start_line: type.start_line + lineShift,
+        end_line: type.end_line + lineShift,
+        methods: type.methods.map((m) => ({
+          ...m,
+          start_line: m.start_line + lineShift,
+          end_line: m.end_line + lineShift
+        })),
+        fields: [...type.fields]
+      });
+    }
+    for (const call of ir.calls) {
+      allCalls.push({
+        ...call,
+        location: {
+          ...call.location,
+          line: call.location.line + lineShift
+        }
+      });
+    }
+    const maxBlockId = ir.cfg.blocks.reduce((max, b) => Math.max(max, b.id), 0);
+    for (const block of ir.cfg.blocks) {
+      allCfgBlocks.push({
+        ...block,
+        id: block.id + cfgBlockIdOffset,
+        start_line: block.start_line + lineShift,
+        end_line: block.end_line + lineShift
+      });
+    }
+    for (const edge of ir.cfg.edges) {
+      allCfgEdges.push({
+        ...edge,
+        from: edge.from + cfgBlockIdOffset,
+        to: edge.to + cfgBlockIdOffset
+      });
+    }
+    cfgBlockIdOffset += maxBlockId + 1;
+    const maxDefId = ir.dfg.defs.reduce((max, d) => Math.max(max, d.id), 0);
+    const maxUseId = ir.dfg.uses.reduce((max, u) => Math.max(max, u.id), 0);
+    for (const def of ir.dfg.defs) {
+      allDfgDefs.push({
+        ...def,
+        id: def.id + dfgDefIdOffset,
+        line: def.line + lineShift
+      });
+    }
+    for (const use of ir.dfg.uses) {
+      allDfgUses.push({
+        ...use,
+        id: use.id + dfgUseIdOffset,
+        def_id: use.def_id !== null ? use.def_id + dfgDefIdOffset : null,
+        line: use.line + lineShift
+      });
+    }
+    dfgDefIdOffset += maxDefId + 1;
+    dfgUseIdOffset += maxUseId + 1;
+    for (const source of ir.taint.sources) {
+      allSources.push({
+        ...source,
+        line: source.line + lineShift
+      });
+    }
+    for (const sink of ir.taint.sinks) {
+      allSinks.push({
+        ...sink,
+        line: sink.line + lineShift
+      });
+    }
+    for (const sanitizer of ir.taint.sanitizers ?? []) {
+      allSanitizers.push({
+        ...sanitizer,
+        line: sanitizer.line + lineShift
+      });
+    }
+    for (const imp of ir.imports) {
+      allImports.push({
+        ...imp,
+        line_number: imp.line_number !== null ? imp.line_number + lineShift : null
+      });
+    }
+    allExports.push(...ir.exports);
+    for (const finding of ir.findings ?? []) {
+      allFindings.push({
+        ...finding,
+        file: htmlFile,
+        line: finding.line + lineShift
+      });
+    }
+  }
+  allFindings.push(...attributeFindings);
+  const taint = {
+    sources: allSources,
+    sinks: allSinks,
+    sanitizers: allSanitizers.length > 0 ? allSanitizers : void 0
+  };
+  const cfg = {
+    blocks: allCfgBlocks,
+    edges: allCfgEdges
+  };
+  const dfg = {
+    defs: allDfgDefs,
+    uses: allDfgUses
+  };
+  return {
+    meta: htmlMeta,
+    types: allTypes,
+    calls: allCalls,
+    cfg,
+    dfg,
+    taint,
+    imports: allImports,
+    exports: allExports,
+    unresolved: [],
+    enriched: {},
+    findings: allFindings.length > 0 ? allFindings : void 0
+  };
+}
+
 // src/analysis/passes/taint-matcher-pass.ts
 var TaintMatcherPass = class {
   name = "taint-matcher";
@@ -17637,6 +18203,7 @@ var ConstantPropagationPass = class {
   constructor(tree) {
     this.tree = tree;
   }
+  tree;
   name = "constant-propagation";
   category = "security";
   run(ctx) {
@@ -22760,6 +23327,16 @@ function getNodeTypesForLanguage(language) {
         "c_style_for_statement",
         "while_statement"
       ]);
+    case "html":
+      return /* @__PURE__ */ new Set([
+        "element",
+        "script_element",
+        "style_element",
+        "attribute",
+        "start_tag",
+        "self_closing_tag",
+        "text"
+      ]);
     default:
       return /* @__PURE__ */ new Set([
         "method_invocation",
@@ -22778,6 +23355,9 @@ async function analyze(code, filePath, language, options = {}) {
   if (!initialized) {
     await initAnalyzer(options);
   }
+  if (language === "html") {
+    return analyzeHtmlFile(code, filePath, options);
+  }
   logger.debug("Analyzing file", { filePath, language, codeLength: code.length });
   const tree = await parse(code, language);
   logger.trace("Parsed AST", { rootNodeType: tree.rootNode.type });
@@ -22884,6 +23464,56 @@ async function analyze(code, filePath, language, options = {}) {
     metrics: { file: filePath, metrics: metricValues }
   };
 }
+async function analyzeHtmlFile(code, filePath, options) {
+  logger.debug("Analyzing HTML file", { filePath, codeLength: code.length });
+  const tree = await parse(code, "html");
+  const meta = extractMeta(code, tree, filePath, "html");
+  const { scriptBlocks, eventHandlers } = extractHtmlContent(tree.rootNode);
+  logger.debug("HTML extraction", {
+    filePath,
+    inlineScripts: scriptBlocks.filter((b) => b.kind === "inline").length,
+    externalScripts: scriptBlocks.filter((b) => b.kind === "external-src").length,
+    eventHandlers: eventHandlers.length
+  });
+  const scriptResults = [];
+  for (const block of scriptBlocks) {
+    if (block.kind !== "inline" || !block.code.trim()) continue;
+    const scriptLang = block.scriptType === "ts" || block.scriptType === "typescript" || block.scriptType === "text/typescript" ? "typescript" : "javascript";
+    try {
+      const ir = await analyze(block.code, filePath, scriptLang, options);
+      scriptResults.push({ ir, lineOffset: block.lineOffset });
+    } catch (e) {
+      logger.warn("Failed to analyze script block", {
+        filePath,
+        lineOffset: block.lineOffset,
+        error: e instanceof Error ? e.message : String(e)
+      });
+    }
+  }
+  for (const handler of eventHandlers) {
+    const wrappedCode = `function __${handler.eventName}_handler() { ${handler.code} }`;
+    try {
+      const ir = await analyze(wrappedCode, filePath, "javascript", options);
+      scriptResults.push({ ir, lineOffset: handler.line });
+    } catch (e) {
+      logger.warn("Failed to analyze event handler", {
+        filePath,
+        eventName: handler.eventName,
+        line: handler.line,
+        error: e instanceof Error ? e.message : String(e)
+      });
+    }
+  }
+  const attributeFindings = runHtmlAttributeSecurityChecks(tree.rootNode, filePath);
+  const result = mergeHtmlResults(meta, scriptResults, attributeFindings);
+  logger.debug("HTML analysis complete", {
+    filePath,
+    scriptBlocks: scriptResults.length,
+    attributeFindings: attributeFindings.length,
+    totalFindings: result.findings?.length ?? 0
+  });
+  return result;
+}
 async function analyzeForAPI(code, filePath, language, options = {}) {
   const startTime = performance.now();
   if (!initialized) {

package/dist/core/circle-ir-core.cjs

@@ -11528,6 +11528,8 @@ var ExpressionEvaluator = class {
     this.source = source;
     this.getSymbol = getSymbol;
   }
+  source;
+  getSymbol;
   /**
    * Evaluate an expression node to determine its constant value.
    */

package/dist/core/circle-ir-core.js

@@ -11463,6 +11463,8 @@ var ExpressionEvaluator = class {
     this.source = source;
     this.getSymbol = getSymbol;
   }
+  source;
+  getSymbol;
   /**
    * Evaluate an expression node to determine its constant value.
    */