More CG tweaks

asgerf · asgerf · commit 47e8a22a60cd · 2025-09-22T08:59:51.000+02:00
diff --git a/javascript/ql/lib/semmle/javascript/dataflow/internal/CallGraphs.qll b/javascript/ql/lib/semmle/javascript/dataflow/internal/CallGraphs.qll
@@ -18,14 +18,29 @@ module CallGraph {
   }
 
   pragma[nomagic]
-  private DataFlow::SourceNode backtrackStoreTarget() {
-    shouldBackTrack(result)
+  private predicate methodHostToReceiverStep(DataFlow::SourceNode node1, DataFlow::SourceNode node2) {
+    exists(DataFlow::PropWrite write |
+      node1 = write.getBase().getALocalSource() and
+      node2 = write.getRhs().getALocalSource().(DataFlow::FunctionNode).getReceiver()
+    )
+  }
+
+  pragma[inline]
+  private predicate step(DataFlow::SourceNode node1, DataFlow::SourceNode node2) {
+    AccessPath::step(node1.getALocalUse(), node2)
     or
-    AccessPath::step(result.getALocalUse(), backtrackStoreTarget())
+    propertyFlowStep(node1.getALocalUse(), node2)
     or
-    propertyFlowStep(result.getALocalUse(), backtrackStoreTarget())
+    storeReadStep(node1, node2)
     or
-    storeReadStep(result, backtrackStoreTarget())
+    methodHostToReceiverStep(node1, node2)
+  }
+
+  pragma[nomagic]
+  private DataFlow::SourceNode backtrackStoreTarget() {
+    shouldBackTrack(result)
+    or
+    step(result, backtrackStoreTarget())
   }
 
   pragma[nomagic]
@@ -63,15 +78,9 @@ module CallGraph {
   pragma[nomagic]
   private DataFlow::SourceNode track(DataFlow::SourceNode source) {
     shouldTrack(source) and
-    (
-      result = source
-      or
-      AccessPath::step(track(source).getALocalUse(), result)
-      or
-      propertyFlowStep(track(source).getALocalUse(), result)
-      or
-      storeReadStep(track(source), result)
-    )
+    result = source
+    or
+    step(track(source), result)
   }
 
   /** Gets the function referenced by `node`, as determined by the type inference. */
