wip

Author: hvitved

rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll

@@ -15,6 +15,8 @@ private import codeql.rust.internal.PathResolution
 private import codeql.rust.controlflow.ControlFlowGraph
 private import codeql.rust.dataflow.Ssa
 private import codeql.rust.dataflow.FlowSummary
+private import codeql.rust.internal.TypeInference as TypeInference
+private import codeql.rust.internal.typeinference.DerefChain
 private import Node
 private import Content
 private import FlowSummaryImpl as FlowSummaryImpl
@@ -60,6 +62,10 @@ final class DataFlowCall extends TDataFlowCall {
   /** Gets the underlying call, if any. */
   Call asCall() { this = TCall(result) }
 
+  predicate isImplicitDeref(AstNode n, DerefChain derefChain, int i, Function target) {
+    this = TImplicitDerefCall(n, derefChain, i, target)
+  }
+
   predicate isSummaryCall(
     FlowSummaryImpl::Public::SummarizedCallable c, FlowSummaryImpl::Private::SummaryNode receiver
   ) {
@@ -69,12 +75,19 @@ final class DataFlowCall extends TDataFlowCall {
   DataFlowCallable getEnclosingCallable() {
     result.asCfgScope() = this.asCall().getEnclosingCfgScope()
     or
+    result.asCfgScope() = any(AstNode n | this.isImplicitDeref(n, _, _, _)).getEnclosingCfgScope()
+    or
     this.isSummaryCall(result.asSummarizedCallable(), _)
   }
 
   string toString() {
     result = this.asCall().toString()
     or
+    exists(AstNode n, DerefChain derefChain, int i, Function target |
+      this.isImplicitDeref(n, derefChain, i, target) and
+      result = "[implicit deref call " + i + " in " + derefChain + "] " + n
+    )
+    or
     exists(
       FlowSummaryImpl::Public::SummarizedCallable c, FlowSummaryImpl::Private::SummaryNode receiver
     |
@@ -83,7 +96,11 @@ final class DataFlowCall extends TDataFlowCall {
     )
   }
 
-  Location getLocation() { result = this.asCall().getLocation() }
+  Location getLocation() {
+    result = this.asCall().getLocation()
+    or
+    result = any(AstNode n | this.isImplicitDeref(n, _, _, _)).getLocation()
+  }
 }
 
 /**
@@ -383,7 +400,8 @@ module RustDataFlow implements InputSig<Location> {
     node.(FlowSummaryNode).getSummaryNode().isHidden() or
     node instanceof CaptureNode or
     node instanceof ClosureParameterNode or
-    node instanceof DerefBorrowNode or
+    node instanceof ImplicitDerefNode or
+    node instanceof ImplicitBorrowNode or
     node instanceof DerefOutNode or
     node instanceof IndexOutNode or
     node.asExpr() instanceof ParenExpr or
@@ -463,6 +481,8 @@ module RustDataFlow implements InputSig<Location> {
         not staticTarget.fromSource()
       )
     )
+    or
+    call = TImplicitDerefCall(_, _, _, result.asCfgScope())
   }
 
   /**
@@ -542,16 +562,18 @@ module RustDataFlow implements InputSig<Location> {
   }
 
   pragma[nomagic]
-  private predicate implicitDeref(Node node1, DerefBorrowNode node2, ReferenceContent c) {
-    not node2.isBorrow() and
-    node1.asExpr() = node2.getNode() and
+  private predicate implicitDeref(ImplicitDerefNode node1, Node node2, ReferenceContent c) {
+    node2 = node1.getDerefOutputNode() and
     exists(c)
   }
 
   pragma[nomagic]
-  private predicate implicitBorrow(Node node1, DerefBorrowNode node2, ReferenceContent c) {
-    node2.isBorrow() and
-    node1.asExpr() = node2.getNode() and
+  private predicate implicitBorrow(Node node1, Node node2, ReferenceContent c) {
+    (
+      node1 = node2.(ImplicitDerefNode).getBorrowInputNode()
+      or
+      node1 = node2.(ImplicitBorrowNode).getBorrowInputNode()
+    ) and
     exists(c)
   }
 
@@ -563,10 +585,10 @@ module RustDataFlow implements InputSig<Location> {
 
   private Node getFieldExprContainerNode(FieldExpr fe) {
     exists(Expr container | container = fe.getContainer() |
-      not any(DerefBorrowNode n).getNode() = container and
+      // not any(DerefBorrowNode n).getNode() = container and
       result.asExpr() = container
-      or
-      result.(DerefBorrowNode).getNode() = container
+      // or
+      // result.(DerefBorrowNode).getNode() = container
     )
   }
 
@@ -1055,6 +1077,10 @@ private module Cached {
       Stages::DataFlowStage::ref() and
       call.hasEnclosingCfgScope()
     } or
+    TImplicitDerefCall(AstNode n, DerefChain derefChain, int i, Function target) {
+      TypeInference::implicitDerefChainBorrow(n, derefChain, _) and
+      target = derefChain.getElement(i).getDerefFunction()
+    } or
     TSummaryCall(
       FlowSummaryImpl::Public::SummarizedCallable c, FlowSummaryImpl::Private::SummaryNode receiver
     ) {

rust/ql/lib/codeql/rust/dataflow/internal/Node.qll

@@ -15,6 +15,7 @@ private import codeql.rust.controlflow.CfgNodes
 private import codeql.rust.dataflow.Ssa
 private import codeql.rust.dataflow.FlowSummary
 private import codeql.rust.internal.TypeInference as TypeInference
+private import codeql.rust.internal.typeinference.DerefChain
 private import Node as Node
 private import DataFlowImpl
 private import FlowSummaryImpl as FlowSummaryImpl
@@ -229,8 +230,7 @@ final class ExprArgumentNode extends ArgumentNode, ExprNode {
 
   ExprArgumentNode() {
     isArgumentForCall(n, call_, pos_) and
-    not TypeInference::implicitDeref(n) and
-    not TypeInference::implicitBorrow(n, _)
+    not TypeInference::implicitDerefChainBorrow(n, _, _)
   }
 
   override predicate isArgumentOf(DataFlowCall call, RustDataFlow::ArgumentPosition pos) {
@@ -242,34 +242,103 @@ final class ExprArgumentNode extends ArgumentNode, ExprNode {
  * A node that represents the value of an expression _after_ implicit dereferencing
  * or borrowing.
  */
-class DerefBorrowNode extends Node, TDerefBorrowNode {
+class ImplicitDerefNode extends Node, TImplicitDerefNode {
   AstNode n;
-  boolean isBorrow;
+  DerefChain derefChain;
+  ImplicitDerefNodeState state;
+  int i;
 
-  DerefBorrowNode() { this = TDerefBorrowNode(n, isBorrow, false) }
+  ImplicitDerefNode() { this = TImplicitDerefNode(n, derefChain, state, i, false) }
 
-  AstNode getNode() { result = n }
+  Node getBorrowInputNode() {
+    state = TImplicitDerefNodeBorrowState() and
+    (
+      i = 0 and
+      result.(AstNodeNode).getAstNode() = n
+      or
+      result = TImplicitDerefNode(n, derefChain, TImplicitDerefNodeAfterDerefState(), i - 1, false)
+    )
+  }
 
-  predicate isBorrow() { isBorrow = true }
+  Node getDerefOutputNode() {
+    state = TImplicitDerefNodeBeforeDerefState() and
+    result = TImplicitDerefNode(n, derefChain, TImplicitDerefNodeAfterDerefState(), i, false)
+    // (
+    //   i = derefChain.length() - 1 and
+    //   result.(AstNodeNode).getAstNode() = n
+    //   or
+    //   result = TImplicitDerefNode(n, derefChain, TImplicitDerefNodeAfterDerefState(), i - 1, false)
+    // )
+  }
 
+  // AstNode getNode() { result = n }
   override CfgScope getCfgScope() { result = n.getEnclosingCfgScope() }
 
   override Location getLocation() { result = n.getLocation() }
 
-  override string toString() {
-    if isBorrow = true then result = n + " [borrowed]" else result = n + " [dereferenced]"
+  override string toString() { result = n + " [implicit deref " + i + " in state " + state + "]" }
+}
+
+/**
+ * A node that represents the value of an argument of a call _after_ implicit
+ * dereferencing or borrowing.
+ */
+final class ImplicitDerefArgNode extends ImplicitDerefNode, ArgumentNode {
+  private DataFlowCall call_;
+  private RustDataFlow::ArgumentPosition pos_;
+
+  ImplicitDerefArgNode() {
+    state = TImplicitDerefNodeBorrowState() and
+    call_ = TImplicitDerefCall(n, derefChain, i, _) and
+    pos_.isSelf()
+    or
+    state = TImplicitDerefNodeAfterDerefState() and
+    i = derefChain.length() - 1 and
+    TypeInference::implicitDerefChainBorrow(n, derefChain, false) and
+    isArgumentForCall(n, call_.asCall(), pos_)
+  }
+
+  override predicate isArgumentOf(DataFlowCall call, RustDataFlow::ArgumentPosition pos) {
+    call = call_ and pos = pos_
+  }
+}
+
+/**
+ * A node that represents the value of an expression _after_ implicit dereferencing
+ * or borrowing.
+ */
+class ImplicitBorrowNode extends Node, TImplicitBorrowNode {
+  AstNode n;
+  DerefChain derefChain;
+
+  ImplicitBorrowNode() { this = TImplicitBorrowNode(n, derefChain, false) }
+
+  Node getBorrowInputNode() {
+    result =
+      TImplicitDerefNode(n, derefChain, TImplicitDerefNodeAfterDerefState(),
+        derefChain.length() - 1, false)
+    or
+    derefChain.isEmpty() and
+    result.(AstNodeNode).getAstNode() = n
   }
+
+  // AstNode getNode() { result = n }
+  override CfgScope getCfgScope() { result = n.getEnclosingCfgScope() }
+
+  override Location getLocation() { result = n.getLocation() }
+
+  override string toString() { result = n + " [implicit borrow]" }
 }
 
 /**
  * A node that represents the value of an argument of a call _after_ implicit
  * dereferencing or borrowing.
  */
-final class DerefBorrowArgNode extends DerefBorrowNode, ArgumentNode {
+final class ImplicitBorrowArgNode extends ImplicitBorrowNode, ArgumentNode {
   private DataFlowCall call_;
   private RustDataFlow::ArgumentPosition pos_;
 
-  DerefBorrowArgNode() { isArgumentForCall(n, call_.asCall(), pos_) }
+  ImplicitBorrowArgNode() { isArgumentForCall(n, call_.asCall(), pos_) }
 
   override predicate isArgumentOf(DataFlowCall call, RustDataFlow::ArgumentPosition pos) {
     call = call_ and pos = pos_
@@ -478,17 +547,36 @@ final class ExprPostUpdateNode extends PostUpdateNode, TExprPostUpdateNode {
   override Location getLocation() { result = e.getLocation() }
 }
 
-final class DerefBorrowPostUpdateNode extends PostUpdateNode, TDerefBorrowNode {
-  private Expr arg;
-  private boolean isBorrow;
+final class ImplicitDerefPostUpdateNode extends PostUpdateNode, TImplicitDerefNode {
+  AstNode n;
+  DerefChain derefChain;
+  ImplicitDerefNodeState state;
+  int i;
 
-  DerefBorrowPostUpdateNode() { this = TDerefBorrowNode(arg, isBorrow, true) }
+  ImplicitDerefPostUpdateNode() { this = TImplicitDerefNode(n, derefChain, state, i, true) }
 
-  override DerefBorrowNode getPreUpdateNode() { result = TDerefBorrowNode(arg, isBorrow, false) }
+  override ImplicitDerefNode getPreUpdateNode() {
+    result = TImplicitDerefNode(n, derefChain, state, i, false)
+  }
 
-  override CfgScope getCfgScope() { result = arg.getEnclosingCfgScope() }
+  override CfgScope getCfgScope() { result = n.getEnclosingCfgScope() }
 
-  override Location getLocation() { result = arg.getLocation() }
+  override Location getLocation() { result = n.getLocation() }
+}
+
+final class ImplicitBorrowPostUpdateNode extends PostUpdateNode, TImplicitBorrowNode {
+  AstNode n;
+  DerefChain derefChain;
+
+  ImplicitBorrowPostUpdateNode() { this = TImplicitBorrowNode(n, derefChain, true) }
+
+  override ImplicitBorrowNode getPreUpdateNode() {
+    result = TImplicitBorrowNode(n, derefChain, false)
+  }
+
+  override CfgScope getCfgScope() { result = n.getEnclosingCfgScope() }
+
+  override Location getLocation() { result = n.getLocation() }
 }
 
 class DerefOutPostUpdateNode extends PostUpdateNode, TDerefOutNode {
@@ -544,6 +632,21 @@ final class CastNode extends ExprNode {
   CastNode() { none() }
 }
 
+newtype TImplicitDerefNodeState =
+  TImplicitDerefNodeBorrowState() or
+  TImplicitDerefNodeBeforeDerefState() or
+  TImplicitDerefNodeAfterDerefState()
+
+class ImplicitDerefNodeState extends TImplicitDerefNodeState {
+  string toString() {
+    this = TImplicitDerefNodeBorrowState() and result = "borrow"
+    or
+    this = TImplicitDerefNodeBeforeDerefState() and result = "before deref"
+    or
+    this = TImplicitDerefNodeAfterDerefState() and result = "after deref"
+  }
+}
+
 cached
 newtype TNode =
   TExprNode(Expr e) { e.hasEnclosingCfgScope() and Stages::DataFlowStage::ref() } or
@@ -575,12 +678,14 @@ newtype TNode =
         ]
     )
   } or
-  TDerefBorrowNode(AstNode n, boolean borrow, Boolean isPost) {
-    TypeInference::implicitDeref(n) and
-    borrow = false
-    or
-    TypeInference::implicitBorrow(n, _) and
-    borrow = true
+  TImplicitDerefNode(
+    AstNode n, DerefChain derefChain, ImplicitDerefNodeState state, int i, Boolean isPost
+  ) {
+    TypeInference::implicitDerefChainBorrow(n, derefChain, _) and
+    i in [0 .. derefChain.length() - 1]
+  } or
+  TImplicitBorrowNode(AstNode n, DerefChain derefChain, Boolean isPost) {
+    TypeInference::implicitDerefChainBorrow(n, derefChain, true)
   } or
   TDerefOutNode(DerefExpr de, Boolean isPost) or
   TIndexOutNode(IndexExpr ie, Boolean isPost) or

rust/ql/lib/codeql/rust/internal/TypeInference.qll

@@ -3934,33 +3934,22 @@ private Type inferCastExprType(CastExpr ce, TypePath path) {
 
 cached
 private module Cached {
-  /** Holds if `n` is implicitly dereferenced. */
+  /** Holds if `n` is implicitly dereferenced and/or borrowed. */
   cached
-  predicate implicitDeref(AstNode n) {
-    exists(DerefChain derefChain, DerefImplItemNode impl |
-      impl.resolveSelfTyBuiltin() instanceof Builtins::RefType and
-      derefChain = DerefChain::singleton(impl)
-    |
-      exists(BorrowKind borrow |
-        any(MethodResolution::MethodCall mc)
-            .argumentHasImplicitDerefChainBorrow(n, derefChain, borrow) and
-        borrow.isNoBorrow()
-      )
-      or
-      n =
-        any(FieldExpr fe |
-          exists(resolveStructFieldExpr(fe, derefChain))
-          or
-          exists(resolveTupleFieldExpr(fe, derefChain))
-        ).getContainer()
+  predicate implicitDerefChainBorrow(AstNode n, DerefChain derefChain, boolean borrow) {
+    exists(BorrowKind bk |
+      any(MethodResolution::MethodCall mc).argumentHasImplicitDerefChainBorrow(n, derefChain, bk) and
+      if bk.isNoBorrow() then borrow = false else borrow = true
     )
-  }
-
-  /** Holds if `n` is implicitly borrowed. */
-  cached
-  predicate implicitBorrow(AstNode n, boolean isMutable) {
-    any(MethodResolution::MethodCall mc)
-        .argumentHasImplicitDerefChainBorrow(n, DerefChain::nil(), TSomeBorrowKind(isMutable))
+    or
+    n =
+      any(FieldExpr fe |
+        exists(resolveStructFieldExpr(fe, derefChain))
+        or
+        exists(resolveTupleFieldExpr(fe, derefChain))
+      ).getContainer() and
+    not derefChain.isEmpty() and
+    borrow = false
   }
 
   /**

shared/util/codeql/util/UnboundList.qll

@@ -66,7 +66,7 @@ module Make<LocationSig Location, InputSig<Location> Input> {
 
     /** Gets the `i`th element in this list. */
     bindingset[this]
-    private Element getElement(int i) { result = decode(this.splitAt(".", i)) }
+    Element getElement(int i) { result = decode(this.splitAt(".", i)) }
 
     /** Gets a textual representation of this list. */
     bindingset[this]