github
diff --git a/‎change-notes/1.26/analysis-javascript.md‎
Lines changed: 1 addition & 0 deletions b/‎change-notes/1.26/analysis-javascript.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎cpp/ql/src/jsf/4.10 Classes/AV Rule 82.ql‎
Lines changed: 10 additions & 0 deletions b/‎cpp/ql/src/jsf/4.10 Classes/AV Rule 82.ql‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎cpp/ql/src/semmle/code/cpp/exprs/Expr.qll‎
Lines changed: 28 additions & 0 deletions b/‎cpp/ql/src/semmle/code/cpp/exprs/Expr.qll‎
Lines changed: 28 additions & 0 deletions
diff --git a/‎cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll‎
Lines changed: 46 additions & 41 deletions b/‎cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll‎
Lines changed: 46 additions & 41 deletions
diff --git a/‎cpp/ql/src/semmle/code/cpp/stmts/Stmt.qll‎
Lines changed: 61 additions & 0 deletions b/‎cpp/ql/src/semmle/code/cpp/stmts/Stmt.qll‎
Lines changed: 61 additions & 0 deletions
diff --git a/‎cpp/ql/src/semmlecode.cpp.dbscheme‎
Lines changed: 5 additions & 0 deletions b/‎cpp/ql/src/semmlecode.cpp.dbscheme‎
Lines changed: 5 additions & 0 deletions
@@ -31,6 +31,7 @@
 | Ambiguous HTML id attribute (`js/duplicate-html-id`) | Results no longer shown | Precision tag reduced to "low". The query is no longer run by default. |
 | Unused loop iteration variable (`js/unused-loop-variable`) | Fewer results | This query no longer flags variables in a destructuring array assignment that are not the last variable in the destructed array. |
 | Unsafe shell command constructed from library input (`js/shell-command-constructed-from-input`) | More results | This query now recognizes more commands where colon, slash, and underscore are used. |
+| Unsafe jQuery plugin (`js/unsafe-jquery-plugin`) | More results | This query now detects more unsafe uses of nested option properties. |
 
 
 ## Changes to libraries
 
@@ -45,6 +45,16 @@ predicate dereferenceThis(Expr e) {
   or
   // `*this = ...` (where `=` is not overloaded, so an `AssignExpr`)
   dereferenceThis(e.(AssignExpr).getLValue())
+  or
+  // `e ? ... : ... `
+  exists(ConditionalExpr cond |
+    cond = e and
+    dereferenceThis(cond.getThen()) and
+    dereferenceThis(cond.getElse())
+  )
+  or
+  // `..., ... `
+  dereferenceThis(e.(CommaExpr).getRightOperand())
 }
 
 /**
 
@@ -1268,3 +1268,31 @@ class SpaceshipExpr extends BinaryOperation, @spaceshipexpr {
 
   override string getOperator() { result = "<=>" }
 }
+
+/**
+ * A C/C++ `co_await` expression.
+ * ```
+ * co_await foo();
+ * ```
+ */
+class CoAwaitExpr extends UnaryOperation, @co_await {
+  override string getAPrimaryQlClass() { result = "CoAwaitExpr" }
+
+  override string getOperator() { result = "co_await" }
+
+  override int getPrecedence() { result = 16 }
+}
+
+/**
+ * A C/C++ `co_yield` expression.
+ * ```
+ * co_yield 1;
+ * ```
+ */
+class CoYieldExpr extends UnaryOperation, @co_yield {
+  override string getAPrimaryQlClass() { result = "CoYieldExpr" }
+
+  override string getOperator() { result = "co_yield" }
+
+  override int getPrecedence() { result = 2 }
+}
@@ -11,6 +11,7 @@ private import semmle.code.cpp.ir.IR
 private import semmle.code.cpp.controlflow.IRGuards
 private import semmle.code.cpp.models.interfaces.DataFlow
 
+cached
 private newtype TIRDataFlowNode =
   TInstructionNode(Instruction i) or
   TOperandNode(Operand op) or
@@ -533,11 +534,11 @@ predicate localFlowStep(Node nodeFrom, Node nodeTo) { simpleLocalFlowStep(nodeFr
  * data flow. It may have less flow than the `localFlowStep` predicate.
  */
 predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo) {
-  // Instruction -> Instruction flow
-  simpleInstructionLocalFlowStep(nodeFrom.asInstruction(), nodeTo.asInstruction())
-  or
   // Operand -> Instruction flow
-  simpleOperandLocalFlowStep(nodeFrom.asOperand(), nodeTo.asInstruction())
+  simpleInstructionLocalFlowStep(nodeFrom.asOperand(), nodeTo.asInstruction())
+  or
+  // Instruction -> Operand flow
+  simpleOperandLocalFlowStep(nodeFrom.asInstruction(), nodeTo.asOperand())
 }
 
 pragma[noinline]
@@ -549,26 +550,20 @@ private predicate getFieldSizeOfClass(Class c, Type type, int size) {
   )
 }
 
-private predicate simpleOperandLocalFlowStep(Operand opFrom, Instruction iTo) {
-  // Certain dataflow steps (for instance `PostUpdateNode.getPreUpdateNode()`) generates flow to
-  // operands, so we include dataflow from those operands to the "result" of the instruction (i.e., to
-  // the instruction itself).
-  exists(PostUpdateNode post |
-    opFrom = post.getPreUpdateNode().asOperand() and
-    iTo.getAnOperand() = opFrom
+private predicate isSingleFieldClass(Type type, Class cTo) {
+  exists(int size |
+    cTo.getSize() = size and
+    getFieldSizeOfClass(cTo, type, size)
   )
 }
 
-cached
-private predicate simpleInstructionLocalFlowStep(Instruction iFrom, Instruction iTo) {
-  iTo.(CopyInstruction).getSourceValue() = iFrom
+private predicate simpleOperandLocalFlowStep(Instruction iFrom, Operand opTo) {
+  // Propagate flow from an instruction to its exact uses.
+  opTo.getDef() = iFrom
   or
-  iTo.(PhiInstruction).getAnOperand().getDef() = iFrom
-  or
-  // A read side effect is almost never exact since we don't know exactly how
-  // much memory the callee will read.
-  iTo.(ReadSideEffectInstruction).getSideEffectOperand().getAnyDef() = iFrom and
-  not iFrom.isResultConflated()
+  opTo = any(ReadSideEffectInstruction read).getSideEffectOperand() and
+  not iFrom.isResultConflated() and
+  iFrom = opTo.getAnyDef()
   or
   // Loading a single `int` from an `int *` parameter is not an exact load since
   // the parameter may point to an entire array rather than a single `int`. The
@@ -582,20 +577,38 @@ private predicate simpleInstructionLocalFlowStep(Instruction iFrom, Instruction
   // leads to a phi node.
   exists(InitializeIndirectionInstruction init |
     iFrom = init and
-    iTo.(LoadInstruction).getSourceValueOperand().getAnyDef() = init and
+    opTo.(LoadOperand).getAnyDef() = init and
     // Check that the types match. Otherwise we can get flow from an object to
     // its fields, which leads to field conflation when there's flow from other
     // fields to the object elsewhere.
     init.getParameter().getType().getUnspecifiedType().(DerivedType).getBaseType() =
-      iTo.getResultType().getUnspecifiedType()
+      opTo.getType().getUnspecifiedType()
+  )
+  or
+  // Flow from stores to structs with a single field to a load of that field.
+  exists(LoadInstruction load |
+    load.getSourceValueOperand() = opTo and
+    opTo.getAnyDef() = iFrom and
+    isSingleFieldClass(iFrom.getResultType(), opTo.getType())
   )
+}
+
+cached
+private predicate simpleInstructionLocalFlowStep(Operand opFrom, Instruction iTo) {
+  iTo.(CopyInstruction).getSourceValueOperand() = opFrom
+  or
+  iTo.(PhiInstruction).getAnInputOperand() = opFrom
+  or
+  // A read side effect is almost never exact since we don't know exactly how
+  // much memory the callee will read.
+  iTo.(ReadSideEffectInstruction).getSideEffectOperand() = opFrom
   or
   // Treat all conversions as flow, even conversions between different numeric types.
-  iTo.(ConvertInstruction).getUnary() = iFrom
+  iTo.(ConvertInstruction).getUnaryOperand() = opFrom
   or
-  iTo.(CheckedConvertOrNullInstruction).getUnary() = iFrom
+  iTo.(CheckedConvertOrNullInstruction).getUnaryOperand() = opFrom
   or
-  iTo.(InheritanceConversionInstruction).getUnary() = iFrom
+  iTo.(InheritanceConversionInstruction).getUnaryOperand() = opFrom
   or
   // A chi instruction represents a point where a new value (the _partial_
   // operand) may overwrite an old value (the _total_ operand), but the alias
@@ -608,7 +621,7 @@ private predicate simpleInstructionLocalFlowStep(Instruction iFrom, Instruction
   //
   // Flow through the partial operand belongs in the taint-tracking libraries
   // for now.
-  iTo.getAnOperand().(ChiTotalOperand).getDef() = iFrom
+  iTo.getAnOperand().(ChiTotalOperand) = opFrom
   or
   // Add flow from write side-effects to non-conflated chi instructions through their
   // partial operands. From there, a `readStep` will find subsequent reads of that field.
@@ -623,24 +636,16 @@ private predicate simpleInstructionLocalFlowStep(Instruction iFrom, Instruction
   // Here, a `WriteSideEffectInstruction` will provide a new definition for `p->x` after the call to
   // `setX`, which will be melded into `p` through a chi instruction.
   exists(ChiInstruction chi | chi = iTo |
-    chi.getPartialOperand().getDef() = iFrom.(WriteSideEffectInstruction) and
+    opFrom.getAnyDef() instanceof WriteSideEffectInstruction and
+    chi.getPartialOperand() = opFrom and
     not chi.isResultConflated()
   )
   or
-  // Flow from stores to structs with a single field to a load of that field.
-  iTo.(LoadInstruction).getSourceValueOperand().getAnyDef() = iFrom and
-  exists(int size, Type type, Class cTo |
-    type = iFrom.getResultType() and
-    cTo = iTo.getResultType() and
-    cTo.getSize() = size and
-    getFieldSizeOfClass(cTo, type, size)
-  )
-  or
   // Flow through modeled functions
-  modelFlow(iFrom, iTo)
+  modelFlow(opFrom, iTo)
 }
 
-private predicate modelFlow(Instruction iFrom, Instruction iTo) {
+private predicate modelFlow(Operand opFrom, Instruction iTo) {
   exists(
     CallInstruction call, DataFlowFunction func, FunctionInput modelIn, FunctionOutput modelOut
   |
@@ -665,17 +670,17 @@ private predicate modelFlow(Instruction iFrom, Instruction iTo) {
     (
       exists(int index |
         modelIn.isParameter(index) and
-        iFrom = call.getPositionalArgument(index)
+        opFrom = call.getPositionalArgumentOperand(index)
       )
       or
       exists(int index, ReadSideEffectInstruction read |
         modelIn.isParameterDeref(index) and
         read = getSideEffectFor(call, index) and
-        iFrom = read.getSideEffectOperand().getAnyDef()
+        opFrom = read.getSideEffectOperand()
       )
       or
       modelIn.isQualifierAddress() and
-      iFrom = call.getThisArgument()
+      opFrom = call.getThisArgumentOperand()
       // TODO: add read side effects for qualifiers
     )
   )
 
@@ -662,6 +662,67 @@ class LabelStmt extends Stmt, @stmt_label {
   override predicate mayBeGloballyImpure() { none() }
 }
 
+/**
+ * A C/C++ `co_return` statement.
+ *
+ * For example:
+ * ```
+ * co_return 1+2;
+ * ```
+ * or
+ * ```
+ * co_return;
+ * ```
+ */
+class CoReturnStmt extends Stmt, @stmt_co_return {
+  override string getAPrimaryQlClass() { result = "CoReturnStmt" }
+
+  /**
+   * Gets the operand of this 'co_return' statement.
+   *
+   * For example, for
+   * ```
+   * co_return 1+2;
+   * ```
+   * the operand is a function call `return_value(1+2)`, and for
+   * ```
+   * co_return;
+   * ```
+   * the operand is a function call `return_void()`.
+   */
+  FunctionCall getOperand() { result = this.getChild(0) }
+
+  /**
+   * Gets the expression of this 'co_return' statement, if any.
+   *
+   * For example, for
+   * ```
+   * co_return 1+2;
+   * ```
+   * the result is `1+2`, and there is no result for
+   * ```
+   * co_return;
+   * ```
+   */
+  Expr getExpr() { result = this.getOperand().getArgument(0) }
+
+  /**
+   * Holds if this 'co_return' statement has an expression.
+   *
+   * For example, this holds for
+   * ```
+   * co_return 1+2;
+   * ```
+   * but not for
+   * ```
+   * co_return;
+   * ```
+   */
+  predicate hasExpr() { exists(this.getExpr()) }
+
+  override string toString() { result = "co_return ..." }
+}
+
 /**
  * A C/C++ 'return' statement.
  *
 
@@ -1228,6 +1228,8 @@ funbind(
             | @builtinaddressof
             | @vec_fill
             | @un_log_op_expr
+            | @co_await
+            | @co_yield
             ;
 
 @bin_log_op_expr = @andlogicalexpr | @orlogicalexpr;
@@ -1647,6 +1649,8 @@ case @expr.kind of
 | 324 = @builtinconvertvector
 | 325 = @builtincomplex
 | 326 = @spaceshipexpr
+| 327 = @co_await
+| 328 = @co_yield
 ;
 
 @var_args_expr = @vastartexpr
@@ -1851,6 +1855,7 @@ case @stmt.kind of
 |  33 = @stmt_handler
 // ...  34 @stmt_finally_end deprecated
 |  35 = @stmt_constexpr_if
+|  37 = @stmt_co_return
 ;
 
 type_vla(