JS: Fix handling of spread args on a bound function

Author: asgerf

javascript/ql/lib/semmle/javascript/ApiGraphs.qll

@@ -962,11 +962,14 @@ module API {
     }
 
     private predicate spreadArgumentPassing(TApiNode base, int i, DataFlow::Node spreadArray) {
-      exists(DataFlow::Node use, DataFlow::SourceNode pred, int bound, InvokeExpr invoke |
+      exists(
+        DataFlow::Node use, DataFlow::SourceNode pred, int bound, InvokeExpr invoke, int spreadPos
+      |
         use(base, use) and
         pred = trackUseNode(use, _, bound, "") and
-        invoke = getAnInvocationWithSpread(pred, i) and
-        spreadArray = invoke.getArgument(i - bound).(SpreadElement).getOperand().flow()
+        invoke = getAnInvocationWithSpread(pred, spreadPos) and
+        spreadArray = invoke.getArgument(spreadPos).(SpreadElement).getOperand().flow() and
+        i = bound + spreadPos
       )
     }
 

javascript/ql/test/ApiGraphs/spread/tst.js

@@ -18,3 +18,12 @@ function getArgs() {
 }
 
 lib.m2(...getArgs());
+
+function f3() {
+    return [
+        'x', /* def=moduleImport("something").getMember("exports").getMember("m3").getSpreadArgument(1).getArrayElement() */
+        'y', /* def=moduleImport("something").getMember("exports").getMember("m3").getSpreadArgument(1).getArrayElement() */
+    ]
+}
+
+lib.m3.bind(undefined, 1)(...f3());