special

Author: hvitved

rust/ql/lib/codeql/rust/dataflow/internal/Content.qll

@@ -35,6 +35,9 @@ class TupleFieldContent extends FieldContent, TTupleFieldContent {
     not field = any(TupleType tt).getATupleField()
   }
 
+  /** Gets the tuple field. */
+  TupleField getField() { result = field }
+
   /** Holds if this field belongs to an enum variant. */
   predicate isVariantField(Variant v, int pos) { field.isVariantField(v, pos) }
 
@@ -68,6 +71,9 @@ class StructFieldContent extends FieldContent, TStructFieldContent {
 
   StructFieldContent() { this = TStructFieldContent(field) }
 
+  /** Gets the struct field. */
+  StructField getField() { result = field }
+
   /** Holds if this field belongs to an enum variant. */
   predicate isVariantField(Variant v, string name) { field.isVariantField(v, name) }
 
@@ -256,10 +262,37 @@ final class OptionalBarrier extends ContentSet, TOptionalBarrier {
 
 private import codeql.rust.internal.CachedStages
 
+string tupleFieldApprox(TupleField field) {
+  exists(Variant v, int pos |
+    field.isVariantField(v, pos) and
+    result = v.getName().getText().charAt(0)
+  )
+  or
+  exists(Struct s, int pos |
+    field.isStructField(s, pos) and
+    result = s.getName().getText().charAt(0)
+  )
+}
+
+string structFieldApprox(StructField field) {
+  exists(Variant v, string name |
+    field.isVariantField(v, name) and
+    result = v.getName().getText().charAt(0) + "." + name
+  )
+  or
+  exists(Struct s, string name |
+    field.isStructField(s, name) and
+    result = s.getName().getText().charAt(0) + "." + name
+  )
+}
+
 cached
 newtype TContent =
-  TTupleFieldContent(TupleField field) { Stages::DataFlowStage::ref() } or
-  TStructFieldContent(StructField field) or
+  TTupleFieldContent(TupleField field) {
+    Stages::DataFlowStage::ref() and
+    exists(tupleFieldApprox(field))
+  } or
+  TStructFieldContent(StructField field) { exists(structFieldApprox(field)) } or
   TElementContent() or
   TFutureContent() or
   TTuplePositionContent(int pos) {
@@ -275,3 +308,41 @@ newtype TContent =
   } or
   TCapturedVariableContent(VariableCapture::CapturedVariable v) or
   TReferenceContent()
+
+cached
+newtype TContentApprox =
+  TTupleFieldContentApprox(string s) { Stages::DataFlowStage::ref() and s = tupleFieldApprox(_) } or
+  TStructFieldContentApprox(string s) { s = structFieldApprox(_) } or
+  TElementContentApprox() or
+  TFutureContentApprox() or
+  TTuplePositionContentApprox() or
+  TFunctionCallReturnContentApprox() or
+  TFunctionCallArgumentContentApprox() or
+  TCapturedVariableContentApprox() or
+  TReferenceContentApprox()
+
+final class ContentApprox extends TContentApprox {
+  /** Gets a textual representation of this element. */
+  string toString() {
+    exists(string s |
+      this = TTupleFieldContentApprox(s) or
+      this = TStructFieldContentApprox(s)
+    |
+      result = s
+    )
+    or
+    this = TElementContentApprox() and result = "element"
+    or
+    this = TFutureContentApprox() and result = "future"
+    or
+    this = TTuplePositionContentApprox() and result = "tuple.position"
+    or
+    this = TFunctionCallReturnContentApprox() and result = "function.return"
+    or
+    this = TFunctionCallArgumentContentApprox() and result = "function.argument"
+    or
+    this = TCapturedVariableContentApprox() and result = "captured.variable"
+    or
+    this = TReferenceContentApprox() and result = "&ref"
+  }
+}

rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll

@@ -274,6 +274,8 @@ private module Aliases {
 
   class ContentAlias = Content;
 
+  class ContentApproxAlias = ContentApprox;
+
   class ContentSetAlias = ContentSet;
 
   class LambdaCallKindAlias = LambdaCallKind;
@@ -495,9 +497,27 @@ module RustDataFlow implements InputSig<Location> {
 
   predicate forceHighPrecision(Content c) { none() }
 
-  final class ContentApprox = Content; // TODO: Implement if needed
+  class ContentApprox = ContentApproxAlias;
 
-  ContentApprox getContentApprox(Content c) { result = c }
+  ContentApprox getContentApprox(Content c) {
+    result = TTupleFieldContentApprox(tupleFieldApprox(c.(TupleFieldContent).getField()))
+    or
+    result = TStructFieldContentApprox(structFieldApprox(c.(StructFieldContent).getField()))
+    or
+    result = TElementContentApprox() and c instanceof ElementContent
+    or
+    result = TFutureContentApprox() and c instanceof FutureContent
+    or
+    result = TTuplePositionContentApprox() and c instanceof TuplePositionContent
+    or
+    result = TFunctionCallArgumentContentApprox() and c instanceof FunctionCallArgumentContent
+    or
+    result = TFunctionCallReturnContentApprox() and c instanceof FunctionCallReturnContent
+    or
+    result = TCapturedVariableContentApprox() and c instanceof CapturedVariableContent
+    or
+    result = TReferenceContentApprox() and c instanceof ReferenceContent
+  }
 
   /**
    * Holds if the parameter position `ppos` matches the argument position
@@ -523,6 +543,8 @@ module RustDataFlow implements InputSig<Location> {
         not FlowSummaryImpl::Private::Steps::prohibitsUseUseFlow(nodeFrom, _)
       )
       or
+      nodeFrom = nodeTo.(ImplicitDerefNode).getLocalInputNode()
+      or
       VariableCapture::localFlowStep(nodeFrom, nodeTo)
     ) and
     model = ""

rust/ql/lib/codeql/rust/dataflow/internal/Node.qll

@@ -252,6 +252,10 @@ private newtype TImplicitDerefNodeState =
  * - `TImplicitDerefNodeBorrowState` represents the `&x` part,
  * - `TImplicitDerefNodeBeforeDerefState` represents the `Deref::deref(&x)` part, and
  * - `TImplicitDerefNodeAfterDerefState` represents the entire `*Deref::deref(&x)` part.
+ *
+ * When the targeted `deref` function is a no-op, we optimize away the call, skipping
+ * the `TImplicitDerefNodeBorrowState` state, and instead add a local step directly from
+ * `x` to the `TImplicitDerefNodeBeforeDerefState` state.
  */
 class ImplicitDerefNodeState extends TImplicitDerefNodeState {
   string toString() {
@@ -265,6 +269,8 @@ class ImplicitDerefNodeState extends TImplicitDerefNodeState {
 
 /**
  * A node used to represent implicit dereferencing.
+ *
+ * TODO: Special case `&` and `&mut` implementations.
  */
 class ImplicitDerefNode extends Node, TImplicitDerefNode {
   AstNode n;
@@ -274,11 +280,21 @@ class ImplicitDerefNode extends Node, TImplicitDerefNode {
 
   ImplicitDerefNode() { this = TImplicitDerefNode(n, derefChain, state, i, false) }
 
+  predicate isNoOp() { derefChain.isNoOp(i) }
+
+  AstNodeNode getLocalInputNode() {
+    result.getAstNode() = n and
+    state = TImplicitDerefNodeBorrowState() and
+    i = 0 and
+    derefChain.isNoOp(0)
+  }
+
   /**
    * Gets the node that should the predecessor in a reference store-step into this
    * node, if any.
    */
   Node getBorrowInputNode() {
+    not this.isNoOp() and
     state = TImplicitDerefNodeBorrowState() and
     (
       i = 0 and
@@ -293,7 +309,11 @@ class ImplicitDerefNode extends Node, TImplicitDerefNode {
    * node, if any.
    */
   Node getDerefOutputNode() {
-    state = TImplicitDerefNodeBeforeDerefState() and
+    (
+      if this.isNoOp()
+      then state = TImplicitDerefNodeBorrowState()
+      else state = TImplicitDerefNodeBeforeDerefState()
+    ) and
     result = TImplicitDerefNode(n, derefChain, TImplicitDerefNodeAfterDerefState(), i, false)
   }
 
@@ -315,6 +335,7 @@ final class ImplicitDerefArgNode extends ImplicitDerefNode, ArgumentNode {
   private RustDataFlow::ArgumentPosition pos_;
 
   ImplicitDerefArgNode() {
+    not derefChain.isNoOp(i) and
     state = TImplicitDerefNodeBorrowState() and
     call_ = TImplicitDerefCall(n, derefChain, i, _) and
     pos_.isSelf()
@@ -332,7 +353,10 @@ final class ImplicitDerefArgNode extends ImplicitDerefNode, ArgumentNode {
 private class ImplicitDerefOutNode extends ImplicitDerefNode, OutNode {
   private DataFlowCall call;
 
-  ImplicitDerefOutNode() { state = TImplicitDerefNodeBeforeDerefState() }
+  ImplicitDerefOutNode() {
+    not derefChain.getElement(i).isNoOp() and
+    state = TImplicitDerefNodeBeforeDerefState()
+  }
 
   override DataFlowCall getCall(ReturnKind kind) {
     result = TImplicitDerefCall(n, derefChain, i, _) and

rust/ql/lib/codeql/rust/internal/TypeInference.qll

@@ -3235,7 +3235,7 @@ private Type getFieldExprLookupType(FieldExpr fe, string name, DerefChain derefC
     derefChain = DerefChain::nil()
     or
     exists(DerefImplItemNode impl, TypeParamTypeParameter tp |
-      tp.getTypeParam() = impl.resolveSelfTy().getTypeParam(0) and
+      tp = impl.getFirstSelfTypeParameter() and
       path.getHead() = tp and
       derefChain = DerefChain::singleton(impl)
     )

rust/ql/lib/codeql/rust/internal/typeinference/DerefChain.qll

@@ -41,6 +41,25 @@ class DerefImplItemNode extends ImplItemNode {
       path0.isCons(getRefTypeParameter(false), path)
     )
   }
+
+  /** Gets the first type parameter of the type being implemented, if any. */
+  pragma[nomagic]
+  TypeParamTypeParameter getFirstSelfTypeParameter() {
+    result.getTypeParam() = this.resolveSelfTy().getTypeParam(0)
+  }
+
+  /**
+   * Holds if this `Deref` implementation is a no-op.
+   *
+   * That is, either it is
+   *
+   * [`impl<T> Deref for &T`](https://doc.rust-lang.org/std/ops/trait.Deref.html#impl-Deref-for-%26T)
+   *
+   * or
+   *
+   * [`impl<T> Deref for &mut T`](https://doc.rust-lang.org/std/ops/trait.Deref.html#impl-Deref-for-%26mut+T).
+   */
+  predicate isNoOp() { this.resolveSelfTyBuiltin() instanceof Builtins::RefType }
 }
 
 private module UnboundListInput implements UnboundListImpl::InputSig<Location> {
@@ -70,7 +89,13 @@ private import UnboundListImpl::Make<Location, UnboundListInput>
  * A sequence of `Deref` impl blocks representing a chain of implicit dereferences,
  * encoded as a string.
  */
-class DerefChain = UnboundList;
+class DerefChain extends UnboundList {
+  bindingset[this]
+  DerefChain() { exists(this) }
+
+  bindingset[this]
+  predicate isNoOp(int i) { this.getElement(i).isNoOp() }
+}
 
 /** Provides predicates for constructing `DerefChain`s. */
 module DerefChain = UnboundList;

rust/ql/test/library-tests/dataflow/collections/inline-flow.expected

@@ -37,10 +37,8 @@ edges
 | main.rs:47:14:47:16 | arr | main.rs:47:14:47:19 | arr[0] | provenance | MaD:4 |
 | main.rs:63:18:63:22 | SelfParam [&ref, S] | main.rs:63:56:65:9 | { ... } [&ref, S] | provenance |  |
 | main.rs:76:34:76:44 | ...: Self [S] | main.rs:77:23:77:27 | other [S] | provenance |  |
-| main.rs:77:13:77:16 | [post] self [&ref, S] | main.rs:76:23:76:31 | SelfParam [Return] [&ref, S] | provenance |  |
-| main.rs:77:13:77:16 | [post] self [&ref, tuple.0] | main.rs:76:23:76:31 | SelfParam [Return] [&ref, tuple.0] | provenance |  |
-| main.rs:77:13:77:18 | [post] self.0 | main.rs:77:13:77:16 | [post] self [&ref, S] | provenance |  |
-| main.rs:77:13:77:18 | [post] self.0 | main.rs:77:13:77:16 | [post] self [&ref, tuple.0] | provenance |  |
+| main.rs:77:13:77:18 | [post] self.0 | main.rs:76:23:76:31 | SelfParam [Return] [&ref, S] | provenance |  |
+| main.rs:77:13:77:18 | [post] self.0 | main.rs:76:23:76:31 | SelfParam [Return] [&ref, tuple.0] | provenance |  |
 | main.rs:77:23:77:27 | other [S] | main.rs:77:23:77:29 | other.0 | provenance |  |
 | main.rs:77:23:77:29 | other.0 | main.rs:77:13:77:18 | [post] self.0 | provenance | MaD:2 |
 | main.rs:77:23:77:29 | other.0 | main.rs:77:13:77:18 | [post] self.0 | provenance | MaD:3 |
@@ -158,8 +156,6 @@ nodes
 | main.rs:76:23:76:31 | SelfParam [Return] [&ref, S] | semmle.label | SelfParam [Return] [&ref, S] |
 | main.rs:76:23:76:31 | SelfParam [Return] [&ref, tuple.0] | semmle.label | SelfParam [Return] [&ref, tuple.0] |
 | main.rs:76:34:76:44 | ...: Self [S] | semmle.label | ...: Self [S] |
-| main.rs:77:13:77:16 | [post] self [&ref, S] | semmle.label | [post] self [&ref, S] |
-| main.rs:77:13:77:16 | [post] self [&ref, tuple.0] | semmle.label | [post] self [&ref, tuple.0] |
 | main.rs:77:13:77:18 | [post] self.0 | semmle.label | [post] self.0 |
 | main.rs:77:23:77:27 | other [S] | semmle.label | other [S] |
 | main.rs:77:23:77:29 | other.0 | semmle.label | other.0 |

rust/ql/test/library-tests/dataflow/global/inline-flow.expected

@@ -8,22 +8,20 @@ edges
 | main.rs:17:9:17:9 | a | main.rs:18:10:18:10 | a | provenance |  |
 | main.rs:17:13:17:23 | get_data(...) | main.rs:17:9:17:9 | a | provenance |  |
 | main.rs:26:28:26:33 | ...: i64 | main.rs:27:21:27:21 | n | provenance |  |
-| main.rs:27:9:27:12 | [post] self [&ref, MyStruct] | main.rs:26:17:26:25 | SelfParam [Return] [&ref, MyStruct] | provenance |  |
-| main.rs:27:21:27:21 | n | main.rs:27:9:27:12 | [post] self [&ref, MyStruct] | provenance |  |
-| main.rs:30:17:30:21 | SelfParam [&ref, MyStruct] | main.rs:31:9:31:12 | self [&ref, MyStruct] | provenance |  |
-| main.rs:31:9:31:12 | self [&ref, MyStruct] | main.rs:31:9:31:17 | self.data | provenance | MaD:1 |
+| main.rs:27:21:27:21 | n | main.rs:26:17:26:25 | SelfParam [Return] [&ref, MyStruct] | provenance |  |
+| main.rs:30:17:30:21 | SelfParam [&ref, MyStruct] | main.rs:31:9:31:17 | self.data | provenance |  |
 | main.rs:31:9:31:17 | self.data | main.rs:30:31:32:5 | { ... } | provenance |  |
 | main.rs:38:5:38:5 | [post] a [MyStruct] | main.rs:39:10:39:10 | a [MyStruct] | provenance |  |
 | main.rs:38:16:38:24 | source(...) | main.rs:26:28:26:33 | ...: i64 | provenance |  |
 | main.rs:38:16:38:24 | source(...) | main.rs:38:5:38:5 | [post] a [MyStruct] | provenance |  |
 | main.rs:39:10:39:10 | a [MyStruct] | main.rs:30:17:30:21 | SelfParam [&ref, MyStruct] | provenance |  |
-| main.rs:39:10:39:10 | a [MyStruct] | main.rs:39:10:39:21 | a.get_data() | provenance | MaD:1 |
+| main.rs:39:10:39:10 | a [MyStruct] | main.rs:39:10:39:21 | a.get_data() | provenance |  |
 | main.rs:46:9:46:14 | [post] &mut a [&ref, MyStruct] | main.rs:46:14:46:14 | [post] a [MyStruct] | provenance |  |
 | main.rs:46:14:46:14 | [post] a [MyStruct] | main.rs:49:10:49:10 | a [MyStruct] | provenance |  |
 | main.rs:48:15:48:23 | source(...) | main.rs:26:28:26:33 | ...: i64 | provenance |  |
 | main.rs:48:15:48:23 | source(...) | main.rs:46:9:46:14 | [post] &mut a [&ref, MyStruct] | provenance |  |
 | main.rs:49:10:49:10 | a [MyStruct] | main.rs:30:17:30:21 | SelfParam [&ref, MyStruct] | provenance |  |
-| main.rs:49:10:49:10 | a [MyStruct] | main.rs:49:10:49:21 | a.get_data() | provenance | MaD:1 |
+| main.rs:49:10:49:10 | a [MyStruct] | main.rs:49:10:49:21 | a.get_data() | provenance |  |
 | main.rs:52:12:52:17 | ...: i64 | main.rs:53:10:53:10 | n | provenance |  |
 | main.rs:57:9:57:9 | a | main.rs:58:13:58:13 | a | provenance |  |
 | main.rs:57:13:57:21 | source(...) | main.rs:57:9:57:9 | a | provenance |  |
@@ -112,9 +110,8 @@ edges
 | main.rs:238:24:238:27 | self [MyInt] | main.rs:238:24:238:33 | self.value | provenance |  |
 | main.rs:238:24:238:33 | self.value | main.rs:238:9:238:35 | MyInt {...} [MyInt] | provenance |  |
 | main.rs:243:30:243:39 | ...: MyInt [MyInt] | main.rs:244:22:244:24 | rhs [MyInt] | provenance |  |
-| main.rs:244:9:244:12 | [post] self [&ref, MyInt] | main.rs:243:19:243:27 | SelfParam [Return] [&ref, MyInt] | provenance |  |
 | main.rs:244:22:244:24 | rhs [MyInt] | main.rs:244:22:244:30 | rhs.value | provenance |  |
-| main.rs:244:22:244:30 | rhs.value | main.rs:244:9:244:12 | [post] self [&ref, MyInt] | provenance |  |
+| main.rs:244:22:244:30 | rhs.value | main.rs:243:19:243:27 | SelfParam [Return] [&ref, MyInt] | provenance |  |
 | main.rs:251:14:251:18 | SelfParam [&ref, MyInt] | main.rs:252:12:252:15 | self [&ref, MyInt] | provenance |  |
 | main.rs:252:9:252:22 | &... [&ref] | main.rs:251:38:253:5 | { ... } [&ref] | provenance |  |
 | main.rs:252:10:252:22 | ... .value | main.rs:252:9:252:22 | &... [&ref] | provenance |  |
@@ -233,11 +230,9 @@ nodes
 | main.rs:18:10:18:10 | a | semmle.label | a |
 | main.rs:26:17:26:25 | SelfParam [Return] [&ref, MyStruct] | semmle.label | SelfParam [Return] [&ref, MyStruct] |
 | main.rs:26:28:26:33 | ...: i64 | semmle.label | ...: i64 |
-| main.rs:27:9:27:12 | [post] self [&ref, MyStruct] | semmle.label | [post] self [&ref, MyStruct] |
 | main.rs:27:21:27:21 | n | semmle.label | n |
 | main.rs:30:17:30:21 | SelfParam [&ref, MyStruct] | semmle.label | SelfParam [&ref, MyStruct] |
 | main.rs:30:31:32:5 | { ... } | semmle.label | { ... } |
-| main.rs:31:9:31:12 | self [&ref, MyStruct] | semmle.label | self [&ref, MyStruct] |
 | main.rs:31:9:31:17 | self.data | semmle.label | self.data |
 | main.rs:38:5:38:5 | [post] a [MyStruct] | semmle.label | [post] a [MyStruct] |
 | main.rs:38:16:38:24 | source(...) | semmle.label | source(...) |
@@ -348,7 +343,6 @@ nodes
 | main.rs:238:24:238:33 | self.value | semmle.label | self.value |
 | main.rs:243:19:243:27 | SelfParam [Return] [&ref, MyInt] | semmle.label | SelfParam [Return] [&ref, MyInt] |
 | main.rs:243:30:243:39 | ...: MyInt [MyInt] | semmle.label | ...: MyInt [MyInt] |
-| main.rs:244:9:244:12 | [post] self [&ref, MyInt] | semmle.label | [post] self [&ref, MyInt] |
 | main.rs:244:22:244:24 | rhs [MyInt] | semmle.label | rhs [MyInt] |
 | main.rs:244:22:244:30 | rhs.value | semmle.label | rhs.value |
 | main.rs:251:14:251:18 | SelfParam [&ref, MyInt] | semmle.label | SelfParam [&ref, MyInt] |