JS: Resolve calls downward in the class hierarchy

Author: asgerf

javascript/ql/lib/semmle/javascript/dataflow/Nodes.qll

@@ -1066,20 +1066,45 @@ class ClassNode extends DataFlow::SourceNode instanceof ClassNode::Range {
     result = this.getAnInstanceReference(DataFlow::TypeTracker::end())
   }
 
+  pragma[nomagic]
+  private DataFlow::PropRead getAnOwnInstanceMemberAccess(string name, DataFlow::TypeTracker t) {
+    result = this.getAnInstanceReference(t.continue()).getAPropertyRead(name)
+  }
+
+  pragma[nomagic]
+  private DataFlow::PropRead getAnInstanceMemberAccessOnSubClass(
+    string name, DataFlow::TypeTracker t
+  ) {
+    exists(DataFlow::ClassNode subclass |
+      subclass = this.getADirectSubClass() and
+      not exists(subclass.getInstanceMember(name, _))
+    |
+      result = subclass.getAnOwnInstanceMemberAccess(name, t)
+      or
+      result = subclass.getAnInstanceMemberAccessOnSubClass(name, t)
+    )
+  }
+
+  pragma[nomagic]
+  private DataFlow::PropRead getAnInstanceMemberAccessOnSuperClass(string name) {
+    result = this.getADirectSuperClass().getAReceiverNode().getAPropertyRead(name)
+    or
+    result = this.getADirectSuperClass().getAnInstanceMemberAccessOnSuperClass(name)
+  }
+
   /**
    * Gets a property read that accesses the property `name` on an instance of this class.
    *
    * Concretely, this holds when the base is an instance of this class or a subclass thereof.
    */
   pragma[nomagic]
   DataFlow::PropRead getAnInstanceMemberAccess(string name, DataFlow::TypeTracker t) {
-    result = this.getAnInstanceReference(t.continue()).getAPropertyRead(name)
+    result = this.getAnOwnInstanceMemberAccess(name, t)
     or
-    exists(DataFlow::ClassNode subclass |
-      result = subclass.getAnInstanceMemberAccess(name, t) and
-      not exists(subclass.getInstanceMember(name, _)) and
-      this = subclass.getADirectSuperClass()
-    )
+    result = this.getAnInstanceMemberAccessOnSubClass(name, t)
+    or
+    t.start() and
+    result = this.getAnInstanceMemberAccessOnSuperClass(name)
   }
 
   /**

javascript/ql/test/library-tests/CallGraphs/AnnotatedTest/subclasses.js

@@ -5,16 +5,16 @@ class Base {
         /** calls:methodInBase */
         this.methodInBase();
 
-        /** calls:NONE */
+        /** calls:methodInSub1 calls:methodInSub2 */
         this.methodInSub();
 
-        /** calls:overridenInSub0 */
+        /** calls:overridenInSub0 calls:overridenInSub1 calls:overridenInSub2 */
         this.overridenInSub();
     }
 
     /** name:methodInBase */
     methodInBase() {
-        /** calls:NONE */
+        /** calls:methodInSub1 calls:methodInSub2 */
         this.methodInSub();
     }