diff --git a/ql/src/semmle/go/dataflow/SSA.qll b/ql/src/semmle/go/dataflow/SSA.qll
index 519b281893a..b8dfd7f8804 100644
--- a/ql/src/semmle/go/dataflow/SSA.qll
+++ b/ql/src/semmle/go/dataflow/SSA.qll
@@ -306,7 +306,7 @@ private newtype TSsaWithFields =
   TStep(SsaWithFields base, Field f) { exists(accessPathAux(base, f)) }
 
 /**
- * Gets a representation of `nd` as an ssa-with-fields value if there is one.
+ * Gets a representation of `insn` as an ssa-with-fields-and-elements value if there is one.
  */
 private TSsaWithFields accessPath(IR::Instruction insn) {
   exists(SsaVariable v | insn = v.getAUse() | result = TRoot(v))
diff --git a/ql/src/semmle/go/frameworks/Protobuf.qll b/ql/src/semmle/go/frameworks/Protobuf.qll
index 06a754b8d2a..aaf8e511bf6 100644
--- a/ql/src/semmle/go/frameworks/Protobuf.qll
+++ b/ql/src/semmle/go/frameworks/Protobuf.qll
@@ -49,28 +49,22 @@ module Protobuf {
   }
 
   /**
-   * Additional taint-flow step modelling flow from MarshalInput.Message to MarshalOutput,
-   * mediated by a MarshalOptions.MarshalState call.
+   * Additional taint-flow step modelling flow from `MarshalInput.Message` to `MarshalOutput`,
+   * mediated by a `MarshalOptions.MarshalState` call.
    *
-   * Note we can taint the whole MarshalOutput as it only has one field (Buf), and taint-
+   * Note we can taint the whole `MarshalOutput` as it only has one field (`Buf`), and taint-
    * tracking always considers a field of a tainted struct to itself be tainted.
    */
   private class MarshalStateStep extends TaintTracking::AdditionalTaintStep {
     override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
-      exists(
-        DataFlow::Node marshalInput, DataFlow::Node passedMarshalInput,
-        DataFlow::CallNode marshalStateCall
-      |
+      exists(DataFlow::Node marshalInput, DataFlow::CallNode marshalStateCall |
         marshalStateCall = marshalStateMethod().getACall() and
         // pred -> marshalInput.Message
         any(DataFlow::Write w)
             .writesField(marshalInput.(DataFlow::PostUpdateNode).getPreUpdateNode(),
               inputMessageField(), pred) and
-        // marshalInput -> passedMarshalInput
-        passedMarshalInput.asExpr().getGlobalValueNumber() =
-          marshalInput.asExpr().getGlobalValueNumber() and
-        // passedMarshalInput -> marshalStateCall
-        marshalStateCall.getArgument(0) = passedMarshalInput and
+        // marshalInput -> marshalStateCall
+        marshalStateCall.getArgument(0) = globalValueNumber(marshalInput).getANode() and
         // marshalStateCall -> succ
         marshalStateCall.getResult() = succ
       )