Rust: Add qhelp examples, and add them as tests.

Author: geoffw0

rust/ql/src/queries/security/CWE-825/AccessInvalidPointerBad.rs

@@ -0,0 +1,10 @@
+
+unsafe {
+    std::ptr::drop_in_place(ptr); // executes the destructor of `*ptr`
+}
+
+// ...
+
+unsafe {
+    do_something(&*ptr); // BAD: dereferences `ptr`
+}

rust/ql/src/queries/security/CWE-825/AccessInvalidPointerGood.rs

@@ -0,0 +1,10 @@
+
+unsafe {
+    do_something(&*ptr); // GOOD: dereferences `ptr` while it is still valid
+}
+
+// ...
+
+{
+    std::ptr::drop_in_place(ptr); // executes the destructor of `*ptr`
+}

rust/ql/test/query-tests/security/CWE-825/AccessInvalidPointer.expected

@@ -13,6 +13,7 @@
 | deallocation.rs:100:14:100:15 | p2 | deallocation.rs:93:21:93:42 | ...::dangling_mut | deallocation.rs:100:14:100:15 | p2 | This operation dereferences a pointer that may be $@. | deallocation.rs:93:21:93:42 | ...::dangling_mut | invalid |
 | deallocation.rs:101:14:101:15 | p3 | deallocation.rs:94:23:94:36 | ...::null | deallocation.rs:101:14:101:15 | p3 | This operation dereferences a pointer that may be $@. | deallocation.rs:94:23:94:36 | ...::null | invalid |
 | deallocation.rs:148:14:148:15 | p1 | deallocation.rs:145:27:145:28 | p1 | deallocation.rs:148:14:148:15 | p1 | This operation dereferences a pointer that may be $@. | deallocation.rs:145:27:145:28 | p1 | invalid |
+| deallocation.rs:179:18:179:20 | ptr | deallocation.rs:173:27:173:29 | ptr | deallocation.rs:179:18:179:20 | ptr | This operation dereferences a pointer that may be $@. | deallocation.rs:173:27:173:29 | ptr | invalid |
 edges
 | deallocation.rs:20:23:20:24 | m1 | deallocation.rs:23:13:23:14 | m1 | provenance |  |
 | deallocation.rs:20:23:20:24 | m1 | deallocation.rs:25:33:25:34 | m1 | provenance |  |
@@ -38,6 +39,7 @@ edges
 | deallocation.rs:94:23:94:36 | ...::null | deallocation.rs:94:23:94:38 | ...::null(...) | provenance | Src:MaD:5 MaD:5 |
 | deallocation.rs:94:23:94:38 | ...::null(...) | deallocation.rs:94:6:94:7 | p3 | provenance |  |
 | deallocation.rs:145:27:145:28 | p1 | deallocation.rs:148:14:148:15 | p1 | provenance |  |
+| deallocation.rs:173:27:173:29 | ptr | deallocation.rs:179:18:179:20 | ptr | provenance |  |
 models
 | 1 | Sink: lang:core; crate::ptr::read; pointer-access; Argument[0] |
 | 2 | Sink: lang:core; crate::ptr::write; pointer-access; Argument[0] |
@@ -76,4 +78,6 @@ nodes
 | deallocation.rs:101:14:101:15 | p3 | semmle.label | p3 |
 | deallocation.rs:145:27:145:28 | p1 | semmle.label | p1 |
 | deallocation.rs:148:14:148:15 | p1 | semmle.label | p1 |
+| deallocation.rs:173:27:173:29 | ptr | semmle.label | ptr |
+| deallocation.rs:179:18:179:20 | ptr | semmle.label | ptr |
 subpaths

rust/ql/test/query-tests/security/CWE-825/deallocation.rs

@@ -151,3 +151,50 @@ pub fn test_ptr_drop() {
 		println!("	v4 = {v4} (!)"); // corrupt in practice
 	}
 }
+
+fn do_something(s: &String) {
+	println!("	s = {}", s);
+}
+
+fn test_qhelp_test_good(ptr: *mut String) {
+	unsafe {
+		do_something(&*ptr);
+	}
+
+	// ...
+
+	unsafe {
+		std::ptr::drop_in_place(ptr);
+	}
+}
+
+fn test_qhelp_test_bad(ptr: *mut String) {
+	unsafe {
+		std::ptr::drop_in_place(ptr); // $ Source=drop_in_place
+	}
+
+	// ...
+
+	unsafe {
+		do_something(&*ptr); // $ Alert[rust/access-invalid-pointer]=drop_in_place
+	}
+}
+
+pub fn test_qhelp_tests() {
+	let layout = std::alloc::Layout::new::<[String; 2]>();
+	unsafe {
+		let ptr = std::alloc::alloc(layout);
+		let ptr_s = ptr as *mut [String; 2];
+		let ptr1 = &raw mut (*ptr_s)[0];
+		let ptr2 = &raw mut (*ptr_s)[1];
+
+		*ptr1 = String::from("123");
+		*ptr2 = String::from("456");
+
+		test_qhelp_test_good(ptr1);
+
+		test_qhelp_test_bad(ptr2);
+
+		std::alloc::dealloc(ptr, layout);
+	}
+}

rust/ql/test/query-tests/security/CWE-825/main.rs

@@ -123,6 +123,9 @@ fn main() {
 	println!("test_ptr_drop:");
 	test_ptr_drop();
 
+	println!("test_qhelp_tests:");
+	test_qhelp_tests();
+
 	// ---
 
 	println!("test_local_dangling:");