Rust: Don't apply generated models for functions that have a manual model

paldepind · paldepind · commit 1b70111dd256 · 2025-12-15T14:25:49.000+01:00
diff --git a/rust/ql/lib/codeql/rust/dataflow/internal/ModelsAsData.qll b/rust/ql/lib/codeql/rust/dataflow/internal/ModelsAsData.qll
@@ -123,12 +123,15 @@ private class SummarizedCallableFromModel extends SummarizedCallable::Range {
     summaryModel(path, _, _, _, provenance, _)
   }
 
+  private predicate hasManualModel() { summaryModel(path, _, _, _, "manual", _) }
+
   override predicate propagatesFlow(
     string input, string output, boolean preservesValue, string model
   ) {
-    exists(string kind, QlBuiltins::ExtensionId madId |
-      summaryModel(path, input, output, kind, _, madId) and
-      model = "MaD:" + madId.toString()
+    exists(string kind, string provenance, QlBuiltins::ExtensionId madId |
+      summaryModel(path, input, output, kind, provenance, madId) and
+      model = "MaD:" + madId.toString() and
+      (provenance = "manual" or not this.hasManualModel())
     |
       kind = "value" and
       preservesValue = true
diff --git a/rust/ql/test/library-tests/dataflow/models/main.rs b/rust/ql/test/library-tests/dataflow/models/main.rs
@@ -42,7 +42,7 @@ fn test_snd() {
     sink(snd(0, s1)); // $ hasValueFlow=99
 
     let s2 = source(88);
-    sink(snd(s2, 0)); // $ SPURIOUS: hasValueFlow=88
+    sink(snd(s2, 0));
 }
 
 // has a flow model
diff --git a/rust/ql/test/library-tests/dataflow/models/models.expected b/rust/ql/test/library-tests/dataflow/models/models.expected
@@ -24,8 +24,7 @@ models
 | 23 | Summary: main::set_tuple_element; Argument[0]; ReturnValue.Field[1]; value |
 | 24 | Summary: main::set_var_field; Argument[0]; ReturnValue.Field[main::MyFieldEnum::D::field_d]; value |
 | 25 | Summary: main::set_var_pos; Argument[0]; ReturnValue.Field[main::MyPosEnum::B(0)]; value |
-| 26 | Summary: main::snd; Argument[0]; ReturnValue; value |
-| 27 | Summary: main::snd; Argument[1]; ReturnValue; value |
+| 26 | Summary: main::snd; Argument[1]; ReturnValue; value |
 edges
 | main.rs:15:9:15:9 | s | main.rs:16:19:16:19 | s | provenance |  |
 | main.rs:15:9:15:9 | s | main.rs:16:19:16:19 | s | provenance |  |
@@ -40,14 +39,8 @@ edges
 | main.rs:41:9:41:10 | s1 | main.rs:42:17:42:18 | s1 | provenance |  |
 | main.rs:41:14:41:23 | source(...) | main.rs:41:9:41:10 | s1 | provenance |  |
 | main.rs:41:14:41:23 | source(...) | main.rs:41:9:41:10 | s1 | provenance |  |
-| main.rs:42:17:42:18 | s1 | main.rs:42:10:42:19 | snd(...) | provenance | MaD:27 |
-| main.rs:42:17:42:18 | s1 | main.rs:42:10:42:19 | snd(...) | provenance | MaD:27 |
-| main.rs:44:9:44:10 | s2 | main.rs:45:14:45:15 | s2 | provenance |  |
-| main.rs:44:9:44:10 | s2 | main.rs:45:14:45:15 | s2 | provenance |  |
-| main.rs:44:14:44:23 | source(...) | main.rs:44:9:44:10 | s2 | provenance |  |
-| main.rs:44:14:44:23 | source(...) | main.rs:44:9:44:10 | s2 | provenance |  |
-| main.rs:45:14:45:15 | s2 | main.rs:45:10:45:19 | snd(...) | provenance | MaD:26 |
-| main.rs:45:14:45:15 | s2 | main.rs:45:10:45:19 | snd(...) | provenance | MaD:26 |
+| main.rs:42:17:42:18 | s1 | main.rs:42:10:42:19 | snd(...) | provenance | MaD:26 |
+| main.rs:42:17:42:18 | s1 | main.rs:42:10:42:19 | snd(...) | provenance | MaD:26 |
 | main.rs:54:9:54:9 | s | main.rs:55:27:55:27 | s | provenance |  |
 | main.rs:54:9:54:9 | s | main.rs:55:27:55:27 | s | provenance |  |
 | main.rs:54:13:54:21 | source(...) | main.rs:54:9:54:9 | s | provenance |  |
@@ -347,14 +340,6 @@ nodes
 | main.rs:42:10:42:19 | snd(...) | semmle.label | snd(...) |
 | main.rs:42:17:42:18 | s1 | semmle.label | s1 |
 | main.rs:42:17:42:18 | s1 | semmle.label | s1 |
-| main.rs:44:9:44:10 | s2 | semmle.label | s2 |
-| main.rs:44:9:44:10 | s2 | semmle.label | s2 |
-| main.rs:44:14:44:23 | source(...) | semmle.label | source(...) |
-| main.rs:44:14:44:23 | source(...) | semmle.label | source(...) |
-| main.rs:45:10:45:19 | snd(...) | semmle.label | snd(...) |
-| main.rs:45:10:45:19 | snd(...) | semmle.label | snd(...) |
-| main.rs:45:14:45:15 | s2 | semmle.label | s2 |
-| main.rs:45:14:45:15 | s2 | semmle.label | s2 |
 | main.rs:54:9:54:9 | s | semmle.label | s |
 | main.rs:54:9:54:9 | s | semmle.label | s |
 | main.rs:54:13:54:21 | source(...) | semmle.label | source(...) |
@@ -700,8 +685,6 @@ invalidSpecComponent
 | main.rs:26:10:26:18 | coerce(...) | main.rs:25:13:25:22 | source(...) | main.rs:26:10:26:18 | coerce(...) | $@ | main.rs:25:13:25:22 | source(...) | source(...) |
 | main.rs:42:10:42:19 | snd(...) | main.rs:41:14:41:23 | source(...) | main.rs:42:10:42:19 | snd(...) | $@ | main.rs:41:14:41:23 | source(...) | source(...) |
 | main.rs:42:10:42:19 | snd(...) | main.rs:41:14:41:23 | source(...) | main.rs:42:10:42:19 | snd(...) | $@ | main.rs:41:14:41:23 | source(...) | source(...) |
-| main.rs:45:10:45:19 | snd(...) | main.rs:44:14:44:23 | source(...) | main.rs:45:10:45:19 | snd(...) | $@ | main.rs:44:14:44:23 | source(...) | source(...) |
-| main.rs:45:10:45:19 | snd(...) | main.rs:44:14:44:23 | source(...) | main.rs:45:10:45:19 | snd(...) | $@ | main.rs:44:14:44:23 | source(...) | source(...) |
 | main.rs:56:10:56:24 | get_var_pos(...) | main.rs:54:13:54:21 | source(...) | main.rs:56:10:56:24 | get_var_pos(...) | $@ | main.rs:54:13:54:21 | source(...) | source(...) |
 | main.rs:56:10:56:24 | get_var_pos(...) | main.rs:54:13:54:21 | source(...) | main.rs:56:10:56:24 | get_var_pos(...) | $@ | main.rs:54:13:54:21 | source(...) | source(...) |
 | main.rs:71:33:71:33 | i | main.rs:67:13:67:21 | source(...) | main.rs:71:33:71:33 | i | $@ | main.rs:67:13:67:21 | source(...) | source(...) |

Original file line number	Diff line number	Diff line change
`@@ -42,7 +42,7 @@ fn test_snd() {`
`42`	`42`	`sink(snd(0, s1)); // $ hasValueFlow=99`
`43`	`43`
`44`	`44`	`let s2 = source(88);`
`45`		`- sink(snd(s2, 0)); // $ SPURIOUS: hasValueFlow=88`
	`45`	`+ sink(snd(s2, 0));`
`46`	`46`	`}`
`47`	`47`
`48`	`48`	`// has a flow model`