Rust: Compute incompatible blanket implementations

Author: hvitved

rust/ql/lib/codeql/rust/internal/TypeInference.qll

@@ -859,14 +859,14 @@ private predicate assocFunctionInfo(
 
 /**
  * Holds if function `f` with the name `name` and the arity `arity` exists in
- * blanket implementation `impl` of `trait`, and the type at position
+ * blanket (like) implementation `impl` of `trait`, and the type at position
  * `pos` is `t`.
  *
  * `blanketPath` points to the type `blanketTypeParam` inside `t`, which
  * is the type parameter used in the blanket implementation.
  */
 pragma[nomagic]
-private predicate functionInfoBlanket(
+private predicate functionInfoBlanketLike(
   Function f, string name, int arity, ImplItemNode impl, Trait trait, FunctionTypePosition pos,
   AssocFunctionType t, TypePath blanketPath, TypeParam blanketTypeParam
 ) {
@@ -985,19 +985,20 @@ private module MethodResolution {
 
   /**
    * Holds if method `m` with the name `name` and the arity `arity` exists in
-   * blanket implementation `impl` of `trait`, and the type of the `self`
+   * blanket (like) implementation `impl` of `trait`, and the type of the `self`
    * parameter is `selfType`.
    *
    * `blanketPath` points to the type `blanketTypeParam` inside `selfType`, which
    * is the type parameter used in the blanket implementation.
    */
   pragma[nomagic]
-  private predicate methodInfoBlanket(
+  private predicate methodInfoBlanketLike(
     Method m, string name, int arity, ImplItemNode impl, Trait trait, AssocFunctionType selfType,
     TypePath blanketPath, TypeParam blanketTypeParam
   ) {
     exists(FunctionTypePosition pos |
-      functionInfoBlanket(m, name, arity, impl, trait, pos, selfType, blanketPath, blanketTypeParam) and
+      functionInfoBlanketLike(m, name, arity, impl, trait, pos, selfType, blanketPath,
+        blanketTypeParam) and
       pos.isSelf()
     )
   }
@@ -1071,8 +1072,8 @@ private module MethodResolution {
   }
 
   /**
-   * Holds if method call `mc` may target a method in blanket implementation `i`
-   * with `self` parameter having type `selfType`.
+   * Holds if method call `mc` may target a method in blanket (like) implementation
+   * `impl` with `self` parameter having type `selfType`.
    *
    * `blanketPath` points to the type `blanketTypeParam` inside `selfType`, which
    * is the type parameter used in the blanket implementation.
@@ -1083,13 +1084,13 @@ private module MethodResolution {
    */
   bindingset[mc]
   pragma[inline_late]
-  private predicate methodCallBlanketCandidate(
+  private predicate methodCallBlanketLikeCandidate(
     MethodCall mc, Method m, ImplItemNode impl, AssocFunctionType self, TypePath blanketPath,
     TypeParam blanketTypeParam
   ) {
     exists(string name, int arity |
       mc.hasNameAndArity(name, arity) and
-      methodInfoBlanket(m, name, arity, impl, _, self, blanketPath, blanketTypeParam)
+      methodInfoBlanketLike(m, name, arity, impl, _, self, blanketPath, blanketTypeParam)
     |
       methodCallVisibleImplTraitCandidate(mc, impl)
       or
@@ -1145,7 +1146,7 @@ private module MethodResolution {
       or
       this.supportsAutoDerefAndBorrow() and
       exists(TypePath path0, Type t0, string derefChain0 |
-        this.hasNoCompatibleTarget(derefChain0, _) and
+        this.hasNoCompatibleTargetBorrow(derefChain0, _) and
         t0 = this.getACandidateReceiverTypeAtNoBorrow(path0, derefChain0)
       |
         path0.isCons(TRefTypeParameter(), path) and
@@ -1174,6 +1175,21 @@ private module MethodResolution {
       derefChainBorrow = ";"
     }
 
+    /**
+     * Holds if the method inside blanket-like implementation `i` with matching name
+     * and arity can be ruled out as a target of this call, either because the candidate
+     * receiver type represented by `derefChainBorrow` is incompatible with the `self`
+     * parameter type, or because the blanket constraint is not satisfied.
+     */
+    pragma[nomagic]
+    private predicate hasIncompatibleBlanketLikeTarget(ImplItemNode i, string derefChainBorrow) {
+      ReceiverIsNotInstantiationOfBlanketLikeSelfParam::argIsNotInstantiationOf(MkMethodCallCand(this,
+          derefChainBorrow), i, _)
+      or
+      ReceiverSatisfiesBlanketLikeConstraint::satisfiesNotBlanketConstraint(MkMethodCallCand(this,
+          derefChainBorrow), i)
+    }
+
     /**
      * Same as `getACandidateReceiverTypeAt`, but with traits substituted in for types
      * with trait bounds.
@@ -1191,10 +1207,9 @@ private module MethodResolution {
     }
 
     bindingset[strippedTypePath, strippedType, derefChainBorrow]
-    private predicate hasNoCompatibleTargetCheck(
+    private predicate hasNoCompatibleNonBlanketLikeTargetCheck(
       TypePath strippedTypePath, Type strippedType, string derefChainBorrow
     ) {
-      // todo: also check that all blanket implementation candidates are incompatible
       forall(ImplOrTraitItemNode i |
         methodCallNonBlanketCandidate(this, _, i, _, strippedTypePath, strippedType)
         or
@@ -1204,6 +1219,28 @@ private module MethodResolution {
       )
     }
 
+    bindingset[strippedTypePath, strippedType, derefChainBorrow]
+    private predicate hasNoCompatibleTargetCheck(
+      TypePath strippedTypePath, Type strippedType, string derefChainBorrow
+    ) {
+      this.hasNoCompatibleNonBlanketLikeTargetCheck(strippedTypePath, strippedType, derefChainBorrow) and
+      forall(ImplItemNode i | methodCallBlanketLikeCandidate(this, _, i, _, _, _) |
+        this.hasIncompatibleBlanketLikeTarget(i, derefChainBorrow)
+      )
+    }
+
+    bindingset[strippedTypePath, strippedType, derefChainBorrow]
+    private predicate hasNoCompatibleNonBlanketTargetCheck(
+      TypePath strippedTypePath, Type strippedType, string derefChainBorrow
+    ) {
+      this.hasNoCompatibleNonBlanketLikeTargetCheck(strippedTypePath, strippedType, derefChainBorrow) and
+      forall(ImplItemNode i |
+        methodCallBlanketLikeCandidate(this, _, i, _, _, _) and not i.isBlanketImplementation()
+      |
+        this.hasIncompatibleBlanketLikeTarget(i, derefChainBorrow)
+      )
+    }
+
     /**
      * Holds if the candidate receiver type represented by
      * `derefChainBorrow = derefChain;` does not have a matching method target.
@@ -1214,7 +1251,7 @@ private module MethodResolution {
         this.supportsAutoDerefAndBorrow()
         or
         // needed for the `hasNoCompatibleTarget` check in
-        // `SatisfiesBlanketConstraintInput::hasBlanketCandidate`
+        // `ReceiverSatisfiesBlanketLikeConstraintInput::hasBlanketCandidate`
         derefChain = ""
       ) and
       exists(TypePath strippedTypePath, Type strippedType |
@@ -1225,13 +1262,35 @@ private module MethodResolution {
       )
     }
 
+    /**
+     * Holds if the candidate receiver type represented by
+     * `derefChainBorrow = derefChain;` does not have a matching non-blanket
+     * method target.
+     */
+    pragma[nomagic]
+    predicate hasNoCompatibleNonBlanketTargetNoBorrow(string derefChain, string derefChainBorrow) {
+      (
+        this.supportsAutoDerefAndBorrow()
+        or
+        // needed for the `hasNoCompatibleTarget` check in
+        // `ReceiverSatisfiesBlanketLikeConstraintInput::hasBlanketCandidate`
+        derefChain = ""
+      ) and
+      exists(TypePath strippedTypePath, Type strippedType |
+        derefChainBorrow = derefChain + ";" and
+        not derefChain.matches("%.ref") and // no need to try a borrow if the last thing we did was a deref
+        strippedType = this.getComplexStrippedType(strippedTypePath, derefChainBorrow) and
+        this.hasNoCompatibleNonBlanketTargetCheck(strippedTypePath, strippedType, derefChainBorrow)
+      )
+    }
+
     /**
      * Holds if the candidate receiver type represented by
      * `derefChainBorrow = derefChain;borrow` does not have a matching method
      * target.
      */
     pragma[nomagic]
-    predicate hasNoCompatibleTarget(string derefChain, string derefChainBorrow) {
+    predicate hasNoCompatibleTargetBorrow(string derefChain, string derefChainBorrow) {
       exists(TypePath strippedTypePath, Type strippedType |
         derefChainBorrow = derefChain + ";borrow" and
         this.hasNoCompatibleTargetNoBorrow(derefChain, _) and
@@ -1240,6 +1299,21 @@ private module MethodResolution {
       )
     }
 
+    /**
+     * Holds if the candidate receiver type represented by
+     * `derefChainBorrow = derefChain;borrow` does not have a matching non-blanket
+     * method target.
+     */
+    pragma[nomagic]
+    predicate hasNoCompatibleNonBlanketTargetBorrow(string derefChain, string derefChainBorrow) {
+      exists(TypePath strippedTypePath, Type strippedType |
+        derefChainBorrow = derefChain + ";borrow" and
+        this.hasNoCompatibleTargetNoBorrow(derefChain, _) and
+        strippedType = this.getComplexStrippedType(strippedTypePath, derefChainBorrow) and
+        this.hasNoCompatibleNonBlanketTargetCheck(strippedTypePath, strippedType, derefChainBorrow)
+      )
+    }
+
     /**
      * Gets a [candidate receiver type][1] of this method call at `path`.
      *
@@ -1432,10 +1506,10 @@ private module MethodResolution {
     }
 
     pragma[nomagic]
-    predicate hasNoCompatibleTarget() {
-      mc_.hasNoCompatibleTarget(_, derefChainBorrow)
+    predicate hasNoCompatibleNonBlanketTarget() {
+      mc_.hasNoCompatibleNonBlanketTargetBorrow(_, derefChainBorrow)
       or
-      mc_.hasNoCompatibleTargetNoBorrow(_, derefChainBorrow)
+      mc_.hasNoCompatibleNonBlanketTargetNoBorrow(_, derefChainBorrow)
     }
 
     pragma[nomagic]
@@ -1518,20 +1592,20 @@ private module MethodResolution {
     Location getLocation() { result = mc_.getLocation() }
   }
 
-  private module ReceiverSatisfiesBlanketConstraintInput implements
+  private module ReceiverSatisfiesBlanketLikeConstraintInput implements
     BlanketImplementation::SatisfiesBlanketConstraintInputSig<MethodCallCand>
   {
     pragma[nomagic]
     predicate hasBlanketCandidate(
       MethodCallCand mcc, ImplItemNode impl, TypePath blanketPath, TypeParam blanketTypeParam
     ) {
-      exists(MethodCall mc, string name, int arity |
-        mcc.hasSignature(mc, _, _, name, arity) and
-        methodCallBlanketCandidate(mc, _, impl, _, blanketPath, blanketTypeParam) and
+      exists(MethodCall mc |
+        mc = mcc.getMethodCall() and
+        methodCallBlanketLikeCandidate(mc, _, impl, _, blanketPath, blanketTypeParam) and
         // Only apply blanket implementations when no other implementations are possible;
         // this is to account for codebases that use the (unstable) specialization feature
         // (https://rust-lang.github.io/rfcs/1210-impl-specialization.html)
-        mcc.hasNoCompatibleTarget()
+        (mcc.hasNoCompatibleNonBlanketTarget() or not impl.isBlanketImplementation())
       |
         mcc.hasNoBorrow()
         or
@@ -1540,9 +1614,9 @@ private module MethodResolution {
     }
   }
 
-  private module ReceiverSatisfiesBlanketConstraint =
+  private module ReceiverSatisfiesBlanketLikeConstraint =
     BlanketImplementation::SatisfiesBlanketConstraint<MethodCallCand,
-      ReceiverSatisfiesBlanketConstraintInput>;
+      ReceiverSatisfiesBlanketLikeConstraintInput>;
 
   /**
    * A configuration for matching the type of a receiver against the type of
@@ -1563,8 +1637,8 @@ private module MethodResolution {
       |
         methodCallNonBlanketCandidate(mc, m, i, selfType, strippedTypePath, strippedType)
         or
-        methodCallBlanketCandidate(mc, m, i, selfType, _, _) and
-        ReceiverSatisfiesBlanketConstraint::satisfiesBlanketConstraint(mcc, i)
+        methodCallBlanketLikeCandidate(mc, m, i, selfType, _, _) and
+        ReceiverSatisfiesBlanketLikeConstraint::satisfiesBlanketConstraint(mcc, i)
       )
     }
 
@@ -1589,6 +1663,30 @@ private module MethodResolution {
   private module ReceiverIsInstantiationOfSelfParam =
     ArgIsInstantiationOf<MethodCallCand, ReceiverIsInstantiationOfSelfParamInput>;
 
+  /**
+   * A configuration for anti-matching the type of a receiver against the type of
+   * a `self` parameter belonging to a blanket (like) implementation.
+   */
+  private module ReceiverIsNotInstantiationOfBlanketLikeSelfParamInput implements
+    IsInstantiationOfInputSig<MethodCallCand, AssocFunctionType>
+  {
+    pragma[nomagic]
+    predicate potentialInstantiationOf(
+      MethodCallCand mcc, TypeAbstraction abs, AssocFunctionType constraint
+    ) {
+      methodCallBlanketLikeCandidate(mcc.getMethodCall(), _, abs, constraint, _, _) and
+      if abs.(Impl).hasTrait()
+      then
+        // inherent methods take precedence over trait methods, so only allow
+        // trait methods when there are no matching inherent methods
+        mcc.hasNoInherentTarget()
+      else any()
+    }
+  }
+
+  private module ReceiverIsNotInstantiationOfBlanketLikeSelfParam =
+    ArgIsInstantiationOf<MethodCallCand, ReceiverIsNotInstantiationOfBlanketLikeSelfParamInput>;
+
   /**
    * A configuration for matching the type qualifier of a method call
    * against the type being implemented in an `impl` block. For example,
@@ -1642,10 +1740,6 @@ private module MethodResolution {
       ReceiverIsInstantiationOfSelfParamInput::potentialInstantiationOf0(mcc, abs, constraint) and
       abs = any(Impl i | not i.hasTrait())
     }
-
-    predicate relevantConstraint(AssocFunctionType constraint) {
-      methodInfo(_, _, _, _, constraint, _, _)
-    }
   }
 
   private module ReceiverIsNotInstantiationOfInherentSelfParam =
@@ -1901,18 +1995,18 @@ private module NonMethodResolution {
   }
 
   pragma[nomagic]
-  private predicate functionInfoBlanketRelevantPos(
+  private predicate functionInfoBlanketLikeRelevantPos(
     NonMethodFunction f, string name, int arity, ImplItemNode impl, Trait trait,
     FunctionTypePosition pos, AssocFunctionType t, TypePath blanketPath, TypeParam blanketTypeParam
   ) {
-    functionInfoBlanket(f, name, arity, impl, trait, pos, t, blanketPath, blanketTypeParam) and
+    functionInfoBlanketLike(f, name, arity, impl, trait, pos, t, blanketPath, blanketTypeParam) and
     (
       not pos.isReturn()
       or
       // We only check that the context of the call provides relevant type information
       // when no argument can
       not exists(FunctionTypePosition pos0 |
-        functionInfoBlanket(f, name, arity, impl, trait, pos0, _, _, _) and
+        functionInfoBlanketLike(f, name, arity, impl, trait, pos0, _, _, _) and
         not pos0.isReturn()
       )
     )
@@ -1922,7 +2016,7 @@ private module NonMethodResolution {
   private predicate blanketCallTraitCandidate(Element fc, Trait trait) {
     exists(string name, int arity |
       fc.(NonMethodCall).hasNameAndArity(name, arity) and
-      functionInfoBlanketRelevantPos(_, name, arity, _, trait, _, _, _, _)
+      functionInfoBlanketLikeRelevantPos(_, name, arity, _, trait, _, _, _, _)
     |
       not fc.(Call).hasTrait()
       or
@@ -1998,7 +2092,7 @@ private module NonMethodResolution {
       exists(string name, int arity, Trait trait, AssocFunctionType t |
         this.hasNameAndArity(name, arity) and
         exists(this.getTypeAt(pos, blanketPath)) and
-        functionInfoBlanketRelevantPos(_, name, arity, impl, trait, pos, t, blanketPath,
+        functionInfoBlanketLikeRelevantPos(_, name, arity, impl, trait, pos, t, blanketPath,
           blanketTypeParam) and
         BlanketTraitIsVisible::traitIsVisible(this, trait)
       )
@@ -2084,12 +2178,12 @@ private module NonMethodResolution {
       exists(FunctionTypePosition pos |
         ArgSatisfiesBlanketConstraint::satisfiesBlanketConstraint(fcp, abs) and
         fcp = MkCallAndBlanketPos(_, pos) and
-        functionInfoBlanketRelevantPos(_, _, _, abs, _, pos, constraint, _, _)
+        functionInfoBlanketLikeRelevantPos(_, _, _, abs, _, pos, constraint, _, _)
       )
     }
 
     predicate relevantConstraint(AssocFunctionType constraint) {
-      functionInfoBlanketRelevantPos(_, _, _, _, _, _, constraint, _, _)
+      functionInfoBlanketLikeRelevantPos(_, _, _, _, _, _, constraint, _, _)
     }
   }
 

rust/ql/lib/codeql/rust/internal/typeinference/BlanketImplementation.qll

@@ -132,4 +132,17 @@ module SatisfiesBlanketConstraint<
       SatisfiesBlanketConstraint::satisfiesConstraintType(ato, TTrait(traitBound), _, _)
     )
   }
+
+  /**
+   * Holds if the argument type `at` does _not_ satisfy the first non-trivial blanket
+   * constraint of `impl`.
+   */
+  pragma[nomagic]
+  predicate satisfiesNotBlanketConstraint(ArgumentType at, ImplItemNode impl) {
+    exists(ArgumentTypeAndBlanketOffset ato, Trait traitBound |
+      ato = MkArgumentTypeAndBlanketOffset(at, _) and
+      SatisfiesBlanketConstraintInput::relevantConstraint(ato, impl, traitBound) and
+      SatisfiesBlanketConstraint::satisfiesNotConstraint(ato, TTrait(traitBound))
+    )
+  }
 }

rust/ql/test/library-tests/type-inference/CONSISTENCY/PathResolutionConsistency.expected

@@ -1,6 +1,4 @@
 multipleCallTargets
-| blanket_impl.rs:257:18:257:27 | ... .m2() |
-| blanket_impl.rs:259:18:259:24 | S1.m4() |
 | dereference.rs:69:15:69:24 | e1.deref() |
 | dereference.rs:182:17:182:26 | ... .foo() |
 | dereference.rs:183:17:183:23 | S.foo() |