JS: Make type inference flow go through ssa definition node

Author: asger-semmle

javascript/ql/src/semmle/javascript/dataflow/internal/VariableTypeInference.qll

@@ -33,25 +33,21 @@ private class AnalyzedCapturedVariable extends @variable {
 /**
  * Flow analysis for accesses to SSA variables.
  */
-private class SsaVarAccessAnalysis extends DataFlow::AnalyzedValueNode {
-  AnalyzedSsaDefinition def;
-
-  SsaVarAccessAnalysis() { astNode = def.getVariable().getAUse() }
-
-  override AbstractValue getALocalValue() { result = def.getAnRhsValue() }
+private class AnalyzedSsaDefinitionNode extends AnalyzedNode, DataFlow::SsaDefinitionNode {
+  override AbstractValue getALocalValue() { result = ssa.(AnalyzedSsaDefinition).getAnRhsValue() }
 }
 
 /**
  * Flow analysis for accesses to SSA variables.
  *
- * Unlike `SsaVarAccessAnalysis`, this only contributes to `getAValue()`, not `getALocalValue()`.
+ * Unlike `AnalyzedSsaDefinitionNode`, this only contributes to `getAValue()`, not `getALocalValue()`.
  */
-private class SsaVarAccessWithNonLocalAnalysis extends SsaVarAccessAnalysis {
+private class AnalyzedSsaDefinitionNodeWithNonLocalAnalysis extends AnalyzedSsaDefinitionNode {
   DataFlow::AnalyzedValueNode src;
 
-  SsaVarAccessWithNonLocalAnalysis() {
+  AnalyzedSsaDefinitionNodeWithNonLocalAnalysis() {
     exists(VarDef varDef |
-      varDef = def.(SsaExplicitDefinition).getDef() and
+      varDef = ssa.(SsaExplicitDefinition).getDef() and
       varDef.getSource().flow() = src and
       src instanceof CallWithNonLocalAnalyzedReturnFlow
     )
@@ -60,6 +56,23 @@ private class SsaVarAccessWithNonLocalAnalysis extends SsaVarAccessAnalysis {
   override AbstractValue getAValue() { result = src.getAValue() }
 }
 
+/**
+ * Flow analysis for SSA variable uses.
+ *
+ * Ensures that `getAValue` propagates from the SSA definition to its use.
+ */
+private class AnalyzedSsaVariableUse extends AnalyzedValueNode {
+  AnalyzedSsaVariableUse() {
+    this = DataFlow::valueNode(any(SsaVariable v).getAUse())
+  }
+
+  override AbstractValue getAValue() {
+    result = AnalyzedValueNode.super.getAValue()
+    or
+    result = localFlowPred().getAValue()
+  }
+}
+
 /**
  * Flow analysis for `VarDef`s.
  */

javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected

@@ -1,8 +1,4 @@
 typeInferenceMismatch
-| addexpr.js:4:10:4:17 | source() | addexpr.js:4:5:4:17 | x |
-| addexpr.js:4:10:4:17 | source() | addexpr.js:6:3:6:14 | x |
-| addexpr.js:11:15:11:22 | source() | addexpr.js:17:5:17:18 | value |
-| addexpr.js:11:15:11:22 | source() | addexpr.js:19:3:19:14 | value |
 | destruct.js:20:7:20:14 | source() | destruct.js:13:14:13:19 | [a, b] |
 #select
 | access-path-sanitizer.js:2:18:2:25 | source() | access-path-sanitizer.js:4:8:4:12 | obj.x |