JS: Also summarize loadStore steps

Author: asgerf

javascript/ql/lib/semmle/javascript/dataflow/internal/StepSummary.qll

@@ -45,6 +45,8 @@ private module Cached {
       CopyStep(PropertyName prop) or
       LoadStoreStep(PropertyName fromProp, PropertyName toProp) {
         SharedTypeTrackingStep::loadStoreStep(_, _, fromProp, toProp)
+        or
+        summarizedLoadStoreStep(_, _, fromProp, toProp)
       } or
       WithoutPropStep(PropertySet props) { SharedTypeTrackingStep::withoutPropStep(_, _, props) }
   }
@@ -69,6 +71,26 @@ private module Cached {
     AccessPath::isAssignedInUniqueFile(global)
   }
 
+  bindingset[fun]
+  pragma[inline_late]
+  private DataFlow::PropRead getStoredPropRead(DataFlow::FunctionNode fun, string storeProp) {
+    result = fun.getAReturn().getALocalSource().getAPropertySource(storeProp)
+  }
+
+  /**
+   * Holds if `loadProp` of `parameter` is stored in the `storeProp` property of the return value of `fun`.
+   */
+  pragma[nomagic]
+  private predicate summarizedLoadStoreStep(
+    DataFlow::ParameterNode param, DataFlow::FunctionNode fun, string loadProp, string storeProp
+  ) {
+    exists(DataFlow::PropRead read |
+      read = getStoredPropRead(fun, storeProp) and
+      read.getBase().getALocalSource() = param and
+      read.getPropertyName() = loadProp
+    )
+  }
+
   /**
    * INTERNAL: Use `TypeBackTracker.smallstep()` instead.
    */
@@ -160,6 +182,11 @@ private module Cached {
           fun.getAReturn().getALocalSource().getAPropertySource(prop) = param and
           summary = StoreStep(prop)
         )
+        or
+        exists(string loadProp, string storeProp |
+          summarizedLoadStoreStep(param, fun, loadProp, storeProp) and
+          summary = LoadStoreStep(loadProp, storeProp)
+        )
       ) and
       if param = fun.getAParameter()
       then

javascript/ql/test/library-tests/TypeTracking/TypeTracking.expected

@@ -1 +0,0 @@
-| summarize.js:33:14:33:26 | // track: obj | Failed to track obj here. |