special

Author: hvitved

rust/ql/lib/codeql/rust/dataflow/internal/Content.qll

@@ -35,6 +35,8 @@ class TupleFieldContent extends FieldContent, TTupleFieldContent {
     not field = any(TupleType tt).getATupleField()
   }
 
+  TupleField getField() { result = field }
+
   /** Holds if this field belongs to an enum variant. */
   predicate isVariantField(Variant v, int pos) { field.isVariantField(v, pos) }
 
@@ -68,6 +70,8 @@ class StructFieldContent extends FieldContent, TStructFieldContent {
 
   StructFieldContent() { this = TStructFieldContent(field) }
 
+  StructField getField() { result = field }
+
   /** Holds if this field belongs to an enum variant. */
   predicate isVariantField(Variant v, string name) { field.isVariantField(v, name) }
 
@@ -275,3 +279,65 @@ newtype TContent =
   } or
   TCapturedVariableContent(VariableCapture::CapturedVariable v) or
   TReferenceContent()
+
+string tupleFieldApprox(TupleField field) {
+  exists(Variant v, int pos |
+    field.isVariantField(v, pos) and
+    result = v.getName().getText().charAt(0)
+  )
+  or
+  exists(Struct s, int pos |
+    field.isStructField(s, pos) and
+    result = s.getName().getText().charAt(0)
+  )
+}
+
+string structFieldApprox(StructField field) {
+  exists(Variant v, string name |
+    field.isVariantField(v, name) and
+    result = v.getName().getText().charAt(0) + "." + name
+  )
+  or
+  exists(Struct s, string name |
+    field.isStructField(s, name) and
+    result = s.getName().getText().charAt(0) + "." + name
+  )
+}
+
+cached
+newtype TContentApprox =
+  TTupleFieldContentApprox(string s) { Stages::DataFlowStage::ref() and s = tupleFieldApprox(_) } or
+  TStructFieldContentApprox(string s) { s = structFieldApprox(_) } or
+  TElementContentApprox() or
+  TFutureContentApprox() or
+  TTuplePositionContentApprox() or
+  TFunctionCallReturnContentApprox() or
+  TFunctionCallArgumentContentApprox() or
+  TCapturedVariableContentApprox() or
+  TReferenceContentApprox()
+
+final class ContentApprox extends TContentApprox {
+  /** Gets a textual representation of this element. */
+  string toString() {
+    exists(string s |
+      this = TTupleFieldContentApprox(s) or
+      this = TStructFieldContentApprox(s)
+    |
+      result = s
+    )
+    or
+    this = TElementContentApprox() and result = "element"
+    or
+    this = TFutureContentApprox() and result = "future"
+    or
+    this = TTuplePositionContentApprox() and result = "tuple.position"
+    or
+    this = TFunctionCallReturnContentApprox() and result = "function.return"
+    or
+    this = TFunctionCallArgumentContentApprox() and result = "function.argument"
+    or
+    this = TCapturedVariableContentApprox() and result = "captured.variable"
+    or
+    this = TReferenceContentApprox() and result = "&ref"
+  }
+}

rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll

@@ -274,6 +274,8 @@ private module Aliases {
 
   class ContentAlias = Content;
 
+  class ContentApproxAlias = ContentApprox;
+
   class ContentSetAlias = ContentSet;
 
   class LambdaCallKindAlias = LambdaCallKind;
@@ -495,9 +497,27 @@ module RustDataFlow implements InputSig<Location> {
 
   predicate forceHighPrecision(Content c) { none() }
 
-  final class ContentApprox = Content; // TODO: Implement if needed
+  class ContentApprox = ContentApproxAlias;
 
-  ContentApprox getContentApprox(Content c) { result = c }
+  ContentApprox getContentApprox(Content c) {
+    result = TTupleFieldContentApprox(tupleFieldApprox(c.(TupleFieldContent).getField()))
+    or
+    result = TStructFieldContentApprox(structFieldApprox(c.(StructFieldContent).getField()))
+    or
+    result = TElementContentApprox() and c instanceof ElementContent
+    or
+    result = TFutureContentApprox() and c instanceof FutureContent
+    or
+    result = TTuplePositionContentApprox() and c instanceof TuplePositionContent
+    or
+    result = TFunctionCallArgumentContentApprox() and c instanceof FunctionCallArgumentContent
+    or
+    result = TFunctionCallReturnContentApprox() and c instanceof FunctionCallReturnContent
+    or
+    result = TCapturedVariableContentApprox() and c instanceof CapturedVariableContent
+    or
+    result = TReferenceContentApprox() and c instanceof ReferenceContent
+  }
 
   /**
    * Holds if the parameter position `ppos` matches the argument position
@@ -523,6 +543,8 @@ module RustDataFlow implements InputSig<Location> {
         not FlowSummaryImpl::Private::Steps::prohibitsUseUseFlow(nodeFrom, _)
       )
       or
+      specialDeref(nodeFrom, nodeTo)
+      or
       VariableCapture::localFlowStep(nodeFrom, nodeTo)
     ) and
     model = ""

rust/ql/lib/codeql/rust/dataflow/internal/Node.qll

@@ -263,8 +263,12 @@ class ImplicitDerefNodeState extends TImplicitDerefNodeState {
   }
 }
 
+private import codeql.rust.frameworks.stdlib.Builtins as Builtins
+
 /**
  * A node used to represent implicit dereferencing.
+ *
+ * TODO: Special case `&` and `&mut` implementations.
  */
 class ImplicitDerefNode extends Node, TImplicitDerefNode {
   AstNode n;
@@ -274,11 +278,14 @@ class ImplicitDerefNode extends Node, TImplicitDerefNode {
 
   ImplicitDerefNode() { this = TImplicitDerefNode(n, derefChain, state, i, false) }
 
+  predicate isSpecial() { derefChain.isSpecial(i) }
+
   /**
    * Gets the node that should the predecessor in a reference store-step into this
    * node, if any.
    */
   Node getBorrowInputNode() {
+    not this.isSpecial() and
     state = TImplicitDerefNodeBorrowState() and
     (
       i = 0 and
@@ -293,7 +300,11 @@ class ImplicitDerefNode extends Node, TImplicitDerefNode {
    * node, if any.
    */
   Node getDerefOutputNode() {
-    state = TImplicitDerefNodeBeforeDerefState() and
+    (
+      if this.isSpecial()
+      then state = TImplicitDerefNodeBorrowState()
+      else state = TImplicitDerefNodeBeforeDerefState()
+    ) and
     result = TImplicitDerefNode(n, derefChain, TImplicitDerefNodeAfterDerefState(), i, false)
   }
 
@@ -310,18 +321,31 @@ class ImplicitDerefNode extends Node, TImplicitDerefNode {
   override string toString() { result = n + " [implicit deref " + i + " in state " + state + "]" }
 }
 
+predicate specialDeref(AstNodeNode node1, Node node2) {
+  exists(DerefChain derefChain |
+    node2 =
+      TImplicitDerefNode(node1.getAstNode(), derefChain, TImplicitDerefNodeBorrowState(), 0, false) and
+    derefChain.isSpecial(0)
+  )
+}
+
 final class ImplicitDerefArgNode extends ImplicitDerefNode, ArgumentNode {
   private DataFlowCall call_;
   private RustDataFlow::ArgumentPosition pos_;
 
   ImplicitDerefArgNode() {
-    state = TImplicitDerefNodeBorrowState() and
-    call_ = TImplicitDerefCall(n, derefChain, i, _) and
-    pos_.isSelf()
-    or
-    this.isLast(_) and
-    TypeInference::implicitDerefChainBorrow(n, derefChain, false) and
-    isArgumentForCall(n, call_.asCall(), pos_)
+    // negative recursion
+    not derefChain.isSpecial(i) and
+    // not this.isSpecial() and
+    (
+      state = TImplicitDerefNodeBorrowState() and
+      call_ = TImplicitDerefCall(n, derefChain, i, _) and
+      pos_.isSelf()
+      or
+      this.isLast(_) and
+      TypeInference::implicitDerefChainBorrow(n, derefChain, false) and
+      isArgumentForCall(n, call_.asCall(), pos_)
+    )
   }
 
   override predicate isArgumentOf(DataFlowCall call, RustDataFlow::ArgumentPosition pos) {
@@ -332,7 +356,11 @@ final class ImplicitDerefArgNode extends ImplicitDerefNode, ArgumentNode {
 private class ImplicitDerefOutNode extends ImplicitDerefNode, OutNode {
   private DataFlowCall call;
 
-  ImplicitDerefOutNode() { state = TImplicitDerefNodeBeforeDerefState() }
+  ImplicitDerefOutNode() {
+    // not this.isSpecial() and
+    not derefChain.getElement(i).resolveSelfTyBuiltin() instanceof Builtins::RefType and
+    state = TImplicitDerefNodeBeforeDerefState()
+  }
 
   override DataFlowCall getCall(ReturnKind kind) {
     result = TImplicitDerefCall(n, derefChain, i, _) and

rust/ql/lib/codeql/rust/internal/typeinference/DerefChain.qll

@@ -70,7 +70,15 @@ private import UnboundListImpl::Make<Location, UnboundListInput>
  * A sequence of `Deref` impl blocks representing a chain of implicit dereferences,
  * encoded as a string.
  */
-class DerefChain = UnboundList;
+class DerefChain extends UnboundList {
+  bindingset[this]
+  DerefChain() { exists(this) }
+
+  bindingset[this]
+  predicate isSpecial(int i) {
+    this.getElement(i).resolveSelfTyBuiltin() instanceof Builtins::RefType
+  }
+}
 
 /** Provides predicates for constructing `DerefChain`s. */
 module DerefChain = UnboundList;

rust/ql/test/library-tests/dataflow/global/inline-flow.expected

@@ -8,22 +8,20 @@ edges
 | main.rs:17:9:17:9 | a | main.rs:18:10:18:10 | a | provenance |  |
 | main.rs:17:13:17:23 | get_data(...) | main.rs:17:9:17:9 | a | provenance |  |
 | main.rs:26:28:26:33 | ...: i64 | main.rs:27:21:27:21 | n | provenance |  |
-| main.rs:27:9:27:12 | [post] self [&ref, MyStruct] | main.rs:26:17:26:25 | SelfParam [Return] [&ref, MyStruct] | provenance |  |
-| main.rs:27:21:27:21 | n | main.rs:27:9:27:12 | [post] self [&ref, MyStruct] | provenance |  |
-| main.rs:30:17:30:21 | SelfParam [&ref, MyStruct] | main.rs:31:9:31:12 | self [&ref, MyStruct] | provenance |  |
-| main.rs:31:9:31:12 | self [&ref, MyStruct] | main.rs:31:9:31:17 | self.data | provenance | MaD:1 |
+| main.rs:27:21:27:21 | n | main.rs:26:17:26:25 | SelfParam [Return] [&ref, MyStruct] | provenance |  |
+| main.rs:30:17:30:21 | SelfParam [&ref, MyStruct] | main.rs:31:9:31:17 | self.data | provenance |  |
 | main.rs:31:9:31:17 | self.data | main.rs:30:31:32:5 | { ... } | provenance |  |
 | main.rs:38:5:38:5 | [post] a [MyStruct] | main.rs:39:10:39:10 | a [MyStruct] | provenance |  |
 | main.rs:38:16:38:24 | source(...) | main.rs:26:28:26:33 | ...: i64 | provenance |  |
 | main.rs:38:16:38:24 | source(...) | main.rs:38:5:38:5 | [post] a [MyStruct] | provenance |  |
 | main.rs:39:10:39:10 | a [MyStruct] | main.rs:30:17:30:21 | SelfParam [&ref, MyStruct] | provenance |  |
-| main.rs:39:10:39:10 | a [MyStruct] | main.rs:39:10:39:21 | a.get_data() | provenance | MaD:1 |
+| main.rs:39:10:39:10 | a [MyStruct] | main.rs:39:10:39:21 | a.get_data() | provenance |  |
 | main.rs:46:9:46:14 | [post] &mut a [&ref, MyStruct] | main.rs:46:14:46:14 | [post] a [MyStruct] | provenance |  |
 | main.rs:46:14:46:14 | [post] a [MyStruct] | main.rs:49:10:49:10 | a [MyStruct] | provenance |  |
 | main.rs:48:15:48:23 | source(...) | main.rs:26:28:26:33 | ...: i64 | provenance |  |
 | main.rs:48:15:48:23 | source(...) | main.rs:46:9:46:14 | [post] &mut a [&ref, MyStruct] | provenance |  |
 | main.rs:49:10:49:10 | a [MyStruct] | main.rs:30:17:30:21 | SelfParam [&ref, MyStruct] | provenance |  |
-| main.rs:49:10:49:10 | a [MyStruct] | main.rs:49:10:49:21 | a.get_data() | provenance | MaD:1 |
+| main.rs:49:10:49:10 | a [MyStruct] | main.rs:49:10:49:21 | a.get_data() | provenance |  |
 | main.rs:52:12:52:17 | ...: i64 | main.rs:53:10:53:10 | n | provenance |  |
 | main.rs:57:9:57:9 | a | main.rs:58:13:58:13 | a | provenance |  |
 | main.rs:57:13:57:21 | source(...) | main.rs:57:9:57:9 | a | provenance |  |
@@ -112,9 +110,8 @@ edges
 | main.rs:238:24:238:27 | self [MyInt] | main.rs:238:24:238:33 | self.value | provenance |  |
 | main.rs:238:24:238:33 | self.value | main.rs:238:9:238:35 | MyInt {...} [MyInt] | provenance |  |
 | main.rs:243:30:243:39 | ...: MyInt [MyInt] | main.rs:244:22:244:24 | rhs [MyInt] | provenance |  |
-| main.rs:244:9:244:12 | [post] self [&ref, MyInt] | main.rs:243:19:243:27 | SelfParam [Return] [&ref, MyInt] | provenance |  |
 | main.rs:244:22:244:24 | rhs [MyInt] | main.rs:244:22:244:30 | rhs.value | provenance |  |
-| main.rs:244:22:244:30 | rhs.value | main.rs:244:9:244:12 | [post] self [&ref, MyInt] | provenance |  |
+| main.rs:244:22:244:30 | rhs.value | main.rs:243:19:243:27 | SelfParam [Return] [&ref, MyInt] | provenance |  |
 | main.rs:251:14:251:18 | SelfParam [&ref, MyInt] | main.rs:252:12:252:15 | self [&ref, MyInt] | provenance |  |
 | main.rs:252:9:252:22 | &... [&ref] | main.rs:251:38:253:5 | { ... } [&ref] | provenance |  |
 | main.rs:252:10:252:22 | ... .value | main.rs:252:9:252:22 | &... [&ref] | provenance |  |
@@ -233,11 +230,9 @@ nodes
 | main.rs:18:10:18:10 | a | semmle.label | a |
 | main.rs:26:17:26:25 | SelfParam [Return] [&ref, MyStruct] | semmle.label | SelfParam [Return] [&ref, MyStruct] |
 | main.rs:26:28:26:33 | ...: i64 | semmle.label | ...: i64 |
-| main.rs:27:9:27:12 | [post] self [&ref, MyStruct] | semmle.label | [post] self [&ref, MyStruct] |
 | main.rs:27:21:27:21 | n | semmle.label | n |
 | main.rs:30:17:30:21 | SelfParam [&ref, MyStruct] | semmle.label | SelfParam [&ref, MyStruct] |
 | main.rs:30:31:32:5 | { ... } | semmle.label | { ... } |
-| main.rs:31:9:31:12 | self [&ref, MyStruct] | semmle.label | self [&ref, MyStruct] |
 | main.rs:31:9:31:17 | self.data | semmle.label | self.data |
 | main.rs:38:5:38:5 | [post] a [MyStruct] | semmle.label | [post] a [MyStruct] |
 | main.rs:38:16:38:24 | source(...) | semmle.label | source(...) |
@@ -348,7 +343,6 @@ nodes
 | main.rs:238:24:238:33 | self.value | semmle.label | self.value |
 | main.rs:243:19:243:27 | SelfParam [Return] [&ref, MyInt] | semmle.label | SelfParam [Return] [&ref, MyInt] |
 | main.rs:243:30:243:39 | ...: MyInt [MyInt] | semmle.label | ...: MyInt [MyInt] |
-| main.rs:244:9:244:12 | [post] self [&ref, MyInt] | semmle.label | [post] self [&ref, MyInt] |
 | main.rs:244:22:244:24 | rhs [MyInt] | semmle.label | rhs [MyInt] |
 | main.rs:244:22:244:30 | rhs.value | semmle.label | rhs.value |
 | main.rs:251:14:251:18 | SelfParam [&ref, MyInt] | semmle.label | SelfParam [&ref, MyInt] |