JS(ql): support nullish coalescing operators

Author: Esben Sparre Andreasen

javascript/ql/src/semmle/javascript/Expr.qll

@@ -1288,14 +1288,24 @@ class LogOrExpr extends @logorexpr, BinaryExpr {
   override ControlFlowNode getFirstControlFlowNode() { result = this }
 }
 
+/** A nullish coalescing '??' expression. */
+class NullishCoalescingExpr extends @nullishcoalescingexpr, BinaryExpr {
+  override string getOperator() {
+    result = "??"
+  }
+
+  override ControlFlowNode getFirstControlFlowNode() { result = this }
+}
+
 /**
  * A logical binary expression, that is, either a logical
  * 'or' or a logical 'and' expression.
  */
 class LogicalBinaryExpr extends BinaryExpr {
   LogicalBinaryExpr() {
     this instanceof LogAndExpr or
-    this instanceof LogOrExpr
+    this instanceof LogOrExpr or
+    this instanceof NullishCoalescingExpr
   }
 }
 

javascript/ql/test/library-tests/DataFlow/flowStep.expected

@@ -25,6 +25,7 @@
 | tst.js:4:5:4:12 | y | tst.js:12:6:12:6 | y |
 | tst.js:4:5:4:12 | y | tst.js:13:5:13:5 | y |
 | tst.js:4:5:4:12 | y | tst.js:14:9:14:9 | y |
+| tst.js:4:5:4:12 | y | tst.js:105:6:105:6 | y |
 | tst.js:4:9:4:12 | "hi" | tst.js:4:5:4:12 | y |
 | tst.js:9:2:9:2 | x | tst.js:9:1:9:3 | (x) |
 | tst.js:10:4:10:4 | y | tst.js:10:1:10:4 | x, y |
@@ -59,6 +60,7 @@
 | tst.js:25:1:25:3 | x | tst.js:32:1:32:0 | x |
 | tst.js:25:1:25:3 | x | tst.js:57:7:57:7 | x |
 | tst.js:25:1:25:3 | x | tst.js:58:11:58:11 | x |
+| tst.js:25:1:25:3 | x | tst.js:105:1:105:1 | x |
 | tst.js:28:2:28:1 | x | tst.js:29:3:29:3 | x |
 | tst.js:28:2:29:3 | () =>\\n  x | tst.js:28:1:30:1 | (() =>\\n ... ables\\n) |
 | tst.js:29:3:29:3 | x | tst.js:28:1:30:3 | (() =>\\n ... les\\n)() |
@@ -117,6 +119,8 @@
 | tst.js:101:13:101:16 | rest | tst.js:101:3:101:16 | [ , z ] = rest |
 | tst.js:102:10:102:18 | x + y + z | tst.js:98:1:103:17 | (functi ... 3, 0 ]) |
 | tst.js:103:4:103:16 | [ 19, 23, 0 ] | tst.js:98:11:98:24 | [ x, ...rest ] |
+| tst.js:105:1:105:1 | x | tst.js:105:1:105:6 | x ?? y |
+| tst.js:105:6:105:6 | y | tst.js:105:1:105:6 | x ?? y |
 | tst.ts:1:1:1:1 | A | tst.ts:1:11:1:11 | A |
 | tst.ts:1:1:1:1 | A | tst.ts:7:1:7:0 | A |
 | tst.ts:1:1:5:1 | A | tst.ts:7:1:7:0 | A |

javascript/ql/test/library-tests/DataFlow/tst.js

@@ -102,4 +102,5 @@ var vs2 = ( for (v of o) v );     // generator comprehensions are not analysed
   return x + y + z;
 })([ 19, 23, 0 ]);
 
+x ?? y;                           // flow through short-circuiting operator
 // semmle-extractor-options: --experimental

javascript/ql/test/library-tests/TypeInference/NullishCoalescing/test.expected

@@ -0,0 +1,19 @@
+| v1 | file://:0:0:0:0 | true |
+| v2 | file://:0:0:0:0 | false |
+| v2 | file://:0:0:0:0 | undefined |
+| v4 | file://:0:0:0:0 | false |
+| v4 | file://:0:0:0:0 | true |
+| v4 | file://:0:0:0:0 | undefined |
+| v5 | file://:0:0:0:0 | false |
+| v5 | file://:0:0:0:0 | true |
+| v5 | file://:0:0:0:0 | undefined |
+| v6 | file://:0:0:0:0 | false |
+| v6 | file://:0:0:0:0 | true |
+| v6 | file://:0:0:0:0 | undefined |
+| v7 | file://:0:0:0:0 | false |
+| v7 | file://:0:0:0:0 | true |
+| v7 | file://:0:0:0:0 | undefined |
+| v7 | tst.js:22:15:22:16 | object literal |
+| x | file://:0:0:0:0 | false |
+| x | file://:0:0:0:0 | true |
+| x | file://:0:0:0:0 | undefined |

javascript/ql/test/library-tests/TypeInference/NullishCoalescing/test.ql

@@ -0,0 +1,5 @@
+import javascript
+
+from Variable v, Expr e
+where e = v.getAnAssignedExpr()
+select v, e.analyze().getAValue()

javascript/ql/test/library-tests/TypeInference/NullishCoalescing/tst.js

@@ -0,0 +1,24 @@
+(function() {
+    var x = f()? undefined: f()? false: true;
+
+    if (x || false) {
+        v1 = x;
+    } else {
+        v2 = x;
+    }
+
+    if (x && false) {
+        v3 = x;
+    } else {
+        v4 = x;
+    }
+
+    if (x ?? false) {
+        v5 = x;
+    } else {
+        v6 = x;
+    }
+
+    v7 = x ?? {};
+});
+// semmle-extractor-options: --experimental