From bee9ead5708bf2408b4b12d3c23d0db04ea616c5 Mon Sep 17 00:00:00 2001
From: Owen Mansel-Chan <owen-mc@github.com>
Date: Thu, 28 May 2026 16:27:11 +0100
Subject: [PATCH] Fix CFG for range loop

---
 .../semmle/go/controlflow/ControlFlowGraphShared.qll   | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/go/ql/lib/semmle/go/controlflow/ControlFlowGraphShared.qll b/go/ql/lib/semmle/go/controlflow/ControlFlowGraphShared.qll
index d5a5fefbc0a..d2458828266 100644
--- a/go/ql/lib/semmle/go/controlflow/ControlFlowGraphShared.qll
+++ b/go/ql/lib/semmle/go/controlflow/ControlFlowGraphShared.qll
@@ -1195,11 +1195,13 @@ module GoCfg {
 
     private predicate rangeLoop(PreControlFlowNode n1, PreControlFlowNode n2) {
       exists(Go::RangeStmt s |
+        // Use the shared library's auto-created `[LoopHeader]` additional node
+        // (created for every `LoopStmt`) as the join/branch point of the range loop.
         n1.isBefore(s) and n2.isBefore(s.getDomain())
         or
-        n1.isAfter(s.getDomain()) and n2.isIn(s)
+        n1.isAfter(s.getDomain()) and n2.isAdditional(s, "[LoopHeader]")
         or
-        n1.isIn(s) and
+        n1.isAdditional(s, "[LoopHeader]") and
         (
           n2.isBefore(s.getKey())
           or
@@ -1215,9 +1217,9 @@ module GoCfg {
         or
         n1.isAfter(s.getValue()) and n2.isBefore(s.getBody())
         or
-        n1.isAfter(s.getBody()) and n2.isIn(s)
+        n1.isAfter(s.getBody()) and n2.isAdditional(s, "[LoopHeader]")
         or
-        n1.isIn(s) and n2.isAfter(s)
+        n1.isAdditional(s, "[LoopHeader]") and n2.isAfter(s)
       )
     }