From aa2a49d1898043e57c391d7abc1d9c3e3b5b51a2 Mon Sep 17 00:00:00 2001
From: Asger Feldthaus <asgerf@github.com>
Date: Fri, 24 Apr 2020 11:30:24 +0100
Subject: [PATCH] JS: Rewrite mayHaveStringValue to avoid misoptimization

---
 .../ql/src/semmle/javascript/dataflow/DataFlow.qll    | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll b/javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll
index 3e435b81094..751a331895d 100644
--- a/javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll
+++ b/javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll
@@ -118,7 +118,11 @@ module DataFlow {
     predicate accessesGlobal(string g) { globalVarRef(g).flowsTo(this) }
 
     /** Holds if this node may evaluate to the string `s`, possibly through local data flow. */
-    predicate mayHaveStringValue(string s) { getAPredecessor().mayHaveStringValue(s) }
+    predicate mayHaveStringValue(string s) {
+      getAPredecessor().mayHaveStringValue(s)
+      or
+      s = getStringValue()
+    }
 
     /** Gets the string value of this node, if it is a string literal or constant string concatenation. */
     string getStringValue() { result = asExpr().getStringValue() }
@@ -297,11 +301,6 @@ module DataFlow {
     /** Gets the expression or declaration this node corresponds to. */
     override AST::ValueNode getAstNode() { result = astNode }
 
-    override predicate mayHaveStringValue(string s) {
-      Node.super.mayHaveStringValue(s) or
-      astNode.(ConstantString).getStringValue() = s
-    }
-
     override BasicBlock getBasicBlock() { astNode = result.getANode() }
 
     override predicate hasLocationInfo(