JS: Remove jump steps from IIFE steps

Author: asgerf

javascript/ql/lib/semmle/javascript/dataflow/internal/DataFlowPrivate.qll

@@ -1217,14 +1217,29 @@ predicate simpleLocalFlowStep(Node node1, Node node2) {
 
 predicate localMustFlowStep(Node node1, Node node2) { node1 = node2.getImmediatePredecessor() }
 
+/**
+ * Holds if `node1 -> node2` should be removed as a jump step.
+ *
+ * Currently this is done as a workaround for the local steps generated from IIFEs.
+ */
+private predicate excludedJumpStep(Node node1, Node node2) {
+  exists(ImmediatelyInvokedFunctionExpr iife |
+    iife.argumentPassing(node2.asExpr(), node1.asExpr())
+    or
+    node1 = iife.getAReturnedExpr().flow() and
+    node2 = iife.getInvocation().flow()
+  )
+}
+
 /**
  * Holds if data can flow from `node1` to `node2` through a non-local step
  * that does not follow a call edge. For example, a step through a global
  * variable.
  */
 predicate jumpStep(Node node1, Node node2) {
   valuePreservingStep(node1, node2) and
-  node1.getContainer() != node2.getContainer()
+  node1.getContainer() != node2.getContainer() and
+  not excludedJumpStep(node1, node2)
   or
   FlowSummaryPrivate::Steps::summaryJumpStep(node1.(FlowSummaryNode).getSummaryNode(),
     node2.(FlowSummaryNode).getSummaryNode())

javascript/ql/test/library-tests/TripleDot/iife.js

@@ -4,8 +4,8 @@ function f1() {
             return p; // argument to return
         })(x);
     }
-    sink(inner(source("f1.1"))); // $ hasValueFlow=f1.1 SPURIOUS: hasValueFlow=f1.2
-    sink(inner(source("f1.2"))); // $ hasValueFlow=f1.2 SPURIOUS: hasValueFlow=f1.1
+    sink(inner(source("f1.1"))); // $ hasValueFlow=f1.1
+    sink(inner(source("f1.2"))); // $ hasValueFlow=f1.2
 }
 
 function f2() {
@@ -16,8 +16,8 @@ function f2() {
         })(x);
         return y;
     }
-    sink(inner(source("f2.1"))); // $ hasValueFlow=f2.1 SPURIOUS: hasValueFlow=f2.2
-    sink(inner(source("f2.2"))); // $ hasValueFlow=f2.2 SPURIOUS: hasValueFlow=f2.1
+    sink(inner(source("f2.1"))); // $ MISSING: hasValueFlow=f2.1
+    sink(inner(source("f2.2"))); // $ MISSING: hasValueFlow=f2.2
 }
 
 function f3() {
@@ -26,8 +26,8 @@ function f3() {
             return x; // captured variable to return
         })();
     }
-    sink(inner(source("f3.1"))); // $ hasValueFlow=f3.1 SPURIOUS: hasValueFlow=f3.2
-    sink(inner(source("f3.2"))); // $ hasValueFlow=f3.2 SPURIOUS: hasValueFlow=f3.1
+    sink(inner(source("f3.1"))); // $ hasValueFlow=f3.1
+    sink(inner(source("f3.2"))); // $ hasValueFlow=f3.2
 }
 
 function f4() {