change LoadStoreStep such that it can store in different property

Author: erik-krogh

javascript/ql/src/semmle/javascript/Promises.qll

@@ -176,7 +176,7 @@ module PromiseTypeTracking {
       summary = StoreStep(field) and
       step.store(pred, result, field)
       or
-      summary = LoadStoreStep(field) and
+      summary = LoadStoreStep(field, field) and
       step.loadStore(pred, result, field)
     )
   }
@@ -246,6 +246,12 @@ abstract private class PromiseFlowStep extends DataFlow::AdditionalFlowStep {
   final override predicate loadStoreStep(DataFlow::Node pred, DataFlow::Node succ, string prop) {
     this.loadStore(pred, succ, prop)
   }
+
+  final override predicate loadStoreStep(
+    DataFlow::Node pred, DataFlow::Node succ, string loadProp, string storeProp
+  ) {
+    none()
+  }
 }
 
 /**

javascript/ql/src/semmle/javascript/dataflow/TypeTracking.qll

@@ -53,7 +53,9 @@ class TypeTracker extends TTypeTracker {
   TypeTracker append(StepSummary step) {
     step = LevelStep() and result = this
     or
-    step = LoadStoreStep(prop) and result = this
+    exists(string toProp | step = LoadStoreStep(prop, toProp) |
+      result = MkTypeTracker(hasCall, toProp)
+    )
     or
     step = CallStep() and result = MkTypeTracker(true, prop)
     or
@@ -213,7 +215,9 @@ class TypeBackTracker extends TTypeBackTracker {
   TypeBackTracker prepend(StepSummary step) {
     step = LevelStep() and result = this
     or
-    step = LoadStoreStep(prop) and result = this
+    exists(string fromProp | step = LoadStoreStep(fromProp, prop) |
+      result = MkTypeBackTracker(hasReturn, fromProp)
+    )
     or
     step = CallStep() and hasReturn = false and result = this
     or

javascript/ql/src/semmle/javascript/dataflow/internal/StepSummary.qll

@@ -24,6 +24,11 @@ class OptionalPropertyName extends string {
 abstract class TypeTrackingPseudoProperty extends string {
   bindingset[this]
   TypeTrackingPseudoProperty() { any() }
+
+  /**
+   * Gets a property name that `this` can be copied to in a `LoadStoreStep(this, result)`. 
+   */ 
+  string getLoadStoreToProp() { none() }
 }
 
 /**
@@ -35,7 +40,12 @@ newtype TStepSummary =
   ReturnStep() or
   StoreStep(PropertyName prop) or
   LoadStep(PropertyName prop) or
-  LoadStoreStep(PropertyName prop)
+  LoadStoreStep(PropertyName fromProp, PropertyName toProp) {
+    fromProp = toProp or
+    exists(TypeTrackingPseudoProperty prop | 
+      fromProp = prop and toProp = prop.getLoadStoreToProp()  
+    )
+  }
 
 /**
  * INTERNAL: Use `TypeTracker` or `TypeBackTracker` instead.
@@ -55,7 +65,9 @@ class StepSummary extends TStepSummary {
     or
     exists(string prop | this = LoadStep(prop) | result = "load " + prop)
     or
-    exists(string prop | this = LoadStoreStep(prop) | result = "in " + prop)
+    exists(string fromProp, string toProp | this = LoadStoreStep(fromProp, toProp) |
+      result = "copy " + fromProp + " to " + toProp
+    )
   }
 }