From 5348b035591f3d6d92106ffe709fc96e59810c7d Mon Sep 17 00:00:00 2001
From: Asger F <asgerf@github.com>
Date: Thu, 29 Aug 2024 10:31:46 +0200
Subject: [PATCH 1/4] Data flow: Duplicate call to 'revFlow'

This needs to be joined differently for some of the disjuncts in the exists
---
 shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll b/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll
index f42da2f2fc00..5e6d169e8015 100644
--- a/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll
+++ b/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll
@@ -2708,7 +2708,9 @@ module MakeImpl<LocationSig Location, InputSig<Location> Lang> {
                 or
                 callEdgeReturn(_, _, node, _, next, _, ap) and
                 apNext = ap
-                or
+              )
+              or
+              exists(NodeEx next, Ap apNext | revFlow(next, pragma[only_bind_into](state), apNext) |
                 storeStepCand(node, _, _, next, _, _)
                 or
                 readStepCand(node, _, next)

From 5a47dd1a2439f42a4bfd2cd8d883680c03b907f2 Mon Sep 17 00:00:00 2001
From: Asger F <asgerf@github.com>
Date: Thu, 29 Aug 2024 10:46:46 +0200
Subject: [PATCH 2/4] Data flow: remove unused 'apNext'

---
 shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll b/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll
index 5e6d169e8015..049f37abb4d3 100644
--- a/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll
+++ b/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll
@@ -2710,7 +2710,7 @@ module MakeImpl<LocationSig Location, InputSig<Location> Lang> {
                 apNext = ap
               )
               or
-              exists(NodeEx next, Ap apNext | revFlow(next, pragma[only_bind_into](state), apNext) |
+              exists(NodeEx next | revFlow(next, pragma[only_bind_into](state), _) |
                 storeStepCand(node, _, _, next, _, _)
                 or
                 readStepCand(node, _, next)

From 60faa002f94df0ef4c924909d1798584dcdb5176 Mon Sep 17 00:00:00 2001
From: Asger F <asgerf@github.com>
Date: Thu, 29 Aug 2024 10:47:44 +0200
Subject: [PATCH 3/4] Data flow: unify apNext with ap as they're always equal
 in this clause

---
 .../codeql/dataflow/internal/DataFlowImpl.qll        | 12 ++++--------
 1 file changed, 4 insertions(+), 8 deletions(-)

diff --git a/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll b/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll
index 049f37abb4d3..ff54fa523f0c 100644
--- a/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll
+++ b/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll
@@ -2695,19 +2695,15 @@ module MakeImpl<LocationSig Location, InputSig<Location> Lang> {
           private predicate localFlowExit(NodeEx node, FlowState state, Ap ap) {
             revFlow(node, pragma[only_bind_into](state), pragma[only_bind_into](ap)) and
             (
-              exists(NodeEx next, Ap apNext | revFlow(next, pragma[only_bind_into](state), apNext) |
-                jumpStepEx(node, next) and
-                apNext = ap
+              exists(NodeEx next | revFlow(next, pragma[only_bind_into](state), ap) |
+                jumpStepEx(node, next)
                 or
                 additionalJumpStep(node, next, _) and
-                apNext = ap and
                 ap instanceof ApNil
                 or
-                callEdgeArgParam(_, _, node, next, _, ap) and
-                apNext = ap
+                callEdgeArgParam(_, _, node, next, _, ap)
                 or
-                callEdgeReturn(_, _, node, _, next, _, ap) and
-                apNext = ap
+                callEdgeReturn(_, _, node, _, next, _, ap)
               )
               or
               exists(NodeEx next | revFlow(next, pragma[only_bind_into](state), _) |

From f3a6561a9fa070b1d25a22adcb555cfb6a4db778 Mon Sep 17 00:00:00 2001
From: Asger F <asgerf@github.com>
Date: Thu, 29 Aug 2024 10:48:23 +0200
Subject: [PATCH 4/4] Data flow: add only_bind_out to 'next'

---
 shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll b/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll
index ff54fa523f0c..5cf42a148b74 100644
--- a/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll
+++ b/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll
@@ -2695,7 +2695,9 @@ module MakeImpl<LocationSig Location, InputSig<Location> Lang> {
           private predicate localFlowExit(NodeEx node, FlowState state, Ap ap) {
             revFlow(node, pragma[only_bind_into](state), pragma[only_bind_into](ap)) and
             (
-              exists(NodeEx next | revFlow(next, pragma[only_bind_into](state), ap) |
+              exists(NodeEx next |
+                revFlow(pragma[only_bind_out](next), pragma[only_bind_into](state), ap)
+              |
                 jumpStepEx(node, next)
                 or
                 additionalJumpStep(node, next, _) and
@@ -2706,7 +2708,9 @@ module MakeImpl<LocationSig Location, InputSig<Location> Lang> {
                 callEdgeReturn(_, _, node, _, next, _, ap)
               )
               or
-              exists(NodeEx next | revFlow(next, pragma[only_bind_into](state), _) |
+              exists(NodeEx next |
+                revFlow(pragma[only_bind_out](next), pragma[only_bind_into](state), _)
+              |
                 storeStepCand(node, _, _, next, _, _)
                 or
                 readStepCand(node, _, next)