github · owen-mc · Nov 27, 2025 · Nov 26, 2025 · Nov 26, 2025 · Nov 26, 2025
@@ -1,4 +1,4 @@
 ---
 category: breaking
 ---
-* The query `go/unexpected-frontend-error` has been moved from the `codeql/go-queries` query  to the `codeql-go-consistency-queries` query pack.
+* The query `go/unexpected-frontend-error` has been moved from the `codeql/go-queries` query to the `codeql-go-consistency-queries` query pack.
@@ -1588,4 +1588,9 @@ module IR {
    * in a field/method access, element access, or slice expression.
    */
   EvalImplicitDerefInstruction implicitDerefInstruction(Expr e) { result = MkImplicitDeref(e) }
+
+  /** Gets the base of `insn`, if `insn` is an implicit field read. */
+  Instruction lookThroughImplicitFieldRead(Instruction insn) {
+    result = insn.(ImplicitFieldReadInstruction).getBaseInstruction()
+  }
 }
@@ -838,7 +838,11 @@ module Public {
       exists(IR::MethodReadInstruction mri |
         ce.getTarget() instanceof Method and
         mri = IR::evalExprInstruction(ce.getCalleeExpr()) and
-        insn = mri.getReceiver()
+        // If a.x is reading a promoted field, and it's equivalent to a.b.c.x,
+        // then mri.getReceiver() will give us the implicit field read a.b.c
+        // and we want to have post-update nodes for a, the implicit field
+        // read a.b and the implicit field read a.b.c.
+        insn = IR::lookThroughImplicitFieldRead*(mri.getReceiver())
       )
     ) and
     mutableType(insn.getResultType())

@@ -89,7 +89,8 @@ predicate basicLocalFlowStep(Node nodeFrom, Node nodeTo) {
       nodeFrom = instructionNode(pred) or
       nodeFrom.(PostUpdateNode).getPreUpdateNode() = instructionNode(pred)
     ) and
-    nodeTo = instructionNode(succ)
+    nodeTo = instructionNode(succ) and
+    nodeTo != nodeFrom
   )
   or
   // GlobalFunctionNode -> use

@@ -384,17 +384,13 @@ module SourceSinkInterpretationInput implements
   }
 
   private DataFlow::Node skipImplicitFieldReads(DataFlow::Node n) {
-    not exists(lookThroughImplicitFieldRead(n)) and result = n
+    not exists(IR::lookThroughImplicitFieldRead(n.asInstruction())) and result = n
     or
-    result = skipImplicitFieldReads(lookThroughImplicitFieldRead(n))
-  }
-
-  private DataFlow::Node lookThroughImplicitFieldRead(DataFlow::Node n) {
-    result.asInstruction() =
-      n.(DataFlow::InstructionNode)
-          .asInstruction()
-          .(IR::ImplicitFieldReadInstruction)
-          .getBaseInstruction()
+    exists(DataFlow::Node mid |
+      mid.asInstruction() = IR::lookThroughImplicitFieldRead(n.asInstruction())
+    |
+      result = skipImplicitFieldReads(mid)
+    )
   }
 
   /** Provides additional sink specification logic. */

@@ -34,25 +34,3 @@ reverseRead
 | test.go:92:19:92:25 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
 | test.go:93:5:93:11 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
 | test.go:94:9:94:15 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
-identityLocalStep
-| test.go:114:37:114:38 | rc | Node steps to itself |
-| test.go:198:27:198:29 | out | Node steps to itself |
-| test.go:224:27:224:29 | out | Node steps to itself |
-| test.go:249:27:249:29 | out | Node steps to itself |
-| test.go:274:27:274:29 | out | Node steps to itself |
-| test.go:299:27:299:29 | out | Node steps to itself |
-| test.go:324:26:324:28 | out | Node steps to itself |
-| test.go:349:26:349:28 | out | Node steps to itself |
-| test.go:375:28:375:30 | out | Node steps to itself |
-| test.go:403:28:403:30 | out | Node steps to itself |
-| test.go:431:24:431:26 | out | Node steps to itself |
-| test.go:463:26:463:28 | out | Node steps to itself |
-| test.go:490:26:490:28 | out | Node steps to itself |
-| test.go:517:27:517:29 | out | Node steps to itself |
-| test.go:546:26:546:28 | out | Node steps to itself |
-| test.go:571:26:571:28 | out | Node steps to itself |
-| test.go:601:24:601:26 | out | Node steps to itself |
-| test.go:614:15:614:21 | tarRead | Node steps to itself |
-| test.go:622:3:622:7 | files | Node steps to itself |
-| test.go:637:10:637:16 | tarRead | Node steps to itself |
-| test.go:647:10:647:16 | tarRead | Node steps to itself |
@@ -13,6 +13,3 @@ reverseRead
 | CorsMisconfiguration.go:170:14:170:16 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
 | CorsMisconfiguration.go:194:17:194:19 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
 | CorsMisconfiguration.go:206:14:206:16 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
-identityLocalStep
-| CorsMisconfiguration.go:208:13:208:18 | origin | Node steps to itself |
-| CorsMisconfiguration.go:235:6:235:8 | try | Node steps to itself |
@@ -1,11 +1,5 @@
 reverseRead
-| pkg1/embedding.go:56:29:56:39 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
-| pkg1/embedding.go:57:33:57:46 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
-| pkg1/embedding.go:58:14:58:22 | implicit read of field embedder | Origin of readStep is missing a PostUpdateNode. |
-| pkg1/embedding.go:58:31:58:42 | implicit read of field embedder | Origin of readStep is missing a PostUpdateNode. |
 | pkg1/tst.go:43:6:43:6 | t | Origin of readStep is missing a PostUpdateNode. |
 | pkg1/tst.go:46:6:46:6 | t | Origin of readStep is missing a PostUpdateNode. |
-| pkg1/tst.go:50:2:50:2 | t | Origin of readStep is missing a PostUpdateNode. |
 | pkg1/tst.go:53:6:53:7 | t2 | Origin of readStep is missing a PostUpdateNode. |
 | pkg1/tst.go:55:6:55:7 | t2 | Origin of readStep is missing a PostUpdateNode. |
-| promoted.go:18:6:18:6 | t | Origin of readStep is missing a PostUpdateNode. |
@@ -2,14 +2,3 @@ reverseRead
 | test.go:90:10:90:15 | taint8 | Origin of readStep is missing a PostUpdateNode. |
 | test.go:104:12:104:18 | taint10 | Origin of readStep is missing a PostUpdateNode. |
 | test.go:150:10:150:14 | slice | Origin of readStep is missing a PostUpdateNode. |
-identityLocalStep
-| test.go:92:3:92:3 | b | Node steps to itself |
-| test.go:95:3:95:3 | b | Node steps to itself |
-| test.go:106:3:106:3 | b | Node steps to itself |
-| test.go:109:3:109:3 | b | Node steps to itself |
-| test.go:119:3:119:3 | b | Node steps to itself |
-| test.go:122:3:122:3 | b | Node steps to itself |
-| test.go:125:3:125:3 | b | Node steps to itself |
-| test.go:128:3:128:3 | b | Node steps to itself |
-| test.go:138:3:138:3 | b | Node steps to itself |
-| test.go:141:3:141:3 | b | Node steps to itself |
@@ -2,14 +2,3 @@ reverseRead
 | test.go:90:10:90:15 | taint8 | Origin of readStep is missing a PostUpdateNode. |
 | test.go:104:12:104:18 | taint10 | Origin of readStep is missing a PostUpdateNode. |
 | test.go:150:10:150:14 | slice | Origin of readStep is missing a PostUpdateNode. |
-identityLocalStep
-| test.go:92:3:92:3 | b | Node steps to itself |
-| test.go:95:3:95:3 | b | Node steps to itself |
-| test.go:106:3:106:3 | b | Node steps to itself |
-| test.go:109:3:109:3 | b | Node steps to itself |
-| test.go:119:3:119:3 | b | Node steps to itself |
-| test.go:122:3:122:3 | b | Node steps to itself |
-| test.go:125:3:125:3 | b | Node steps to itself |
-| test.go:128:3:128:3 | b | Node steps to itself |
-| test.go:138:3:138:3 | b | Node steps to itself |
-| test.go:141:3:141:3 | b | Node steps to itself |
@@ -14,6 +14,3 @@ reverseRead
 | test.go:318:20:318:22 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
 | test.go:324:17:324:19 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
 | test.go:324:17:324:25 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
-identityLocalStep
-| test.go:278:3:278:14 | genericFiles | Node steps to itself |
-| test.go:278:21:278:25 | files | Node steps to itself |