JS: Use TCapturedVariableNode as starting point of callInputStep

Author: asgerf

javascript/ql/src/semmle/javascript/dataflow/Configuration.qll

@@ -926,10 +926,10 @@ private predicate callInputStep(
     argumentPassing(invk, pred, f, succ)
     or
     isRelevant(pred, cfg) and
-    exists(SsaDefinition prevDef, SsaDefinition def |
-      pred = DataFlow::ssaDefinitionNode(prevDef) and
+    exists(LocalVariable variable, SsaDefinition def |
+      pred = DataFlow::capturedVariableNode(variable) and
       calls(invk, f) and
-      captures(f, prevDef, def) and
+      captures(f, variable, def) and
       succ = DataFlow::ssaDefinitionNode(def)
     )
   ) and

javascript/ql/src/semmle/javascript/dataflow/TrackedNodes.qll

@@ -122,10 +122,10 @@ private module NodeTracking {
     (
       argumentPassing(invk, pred, f, succ)
       or
-      exists(SsaDefinition prevDef, SsaDefinition def |
-        pred = DataFlow::ssaDefinitionNode(prevDef) and
+      exists(LocalVariable variable, SsaDefinition def |
+        pred = DataFlow::capturedVariableNode(variable) and
         calls(invk, f) and
-        captures(f, prevDef, def) and
+        captures(f, variable, def) and
         succ = DataFlow::ssaDefinitionNode(def)
       )
     )

javascript/ql/src/semmle/javascript/dataflow/internal/FlowSteps.qll

@@ -78,11 +78,11 @@ predicate localExceptionStep(DataFlow::Node pred, DataFlow::Node succ) {
 cached
 private module CachedSteps {
   /**
-   * Holds if `f` captures the variable defined by `def` in `cap`.
+   * Holds if `f` captures the given `variable` in `cap`.
    */
   cached
-  predicate captures(Function f, SsaExplicitDefinition def, SsaVariableCapture cap) {
-    def.getSourceVariable() = cap.getSourceVariable() and
+  predicate captures(Function f, LocalVariable variable, SsaVariableCapture cap) {
+    variable = cap.getSourceVariable() and
     f = cap.getContainer()
   }