wip2

Author: hvitved

rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll

@@ -461,25 +461,7 @@ module RustDataFlow implements InputSig<Location> {
     exists(Call c | c = call.asCall() |
       result.asCfgScope() = c.getARuntimeTarget()
       or
-      exists(SummarizedCallable sc, Function staticTarget |
-        staticTarget = getStaticTargetExt(c) and
-        sc = result.asSummarizedCallable() and
-        // Only use summarized callables with generated summaries in case
-        // the static call target is not in the source code.
-        // Note that if `applyGeneratedModel` holds it implies that there doesn't
-        // exist a manual model.
-        not (
-          staticTarget.fromSource() and
-          sc.applyGeneratedModel()
-        )
-      |
-        sc = staticTarget
-        or
-        // only apply trait models to concrete implementations when they are not
-        // defined in source code
-        staticTarget.implements(sc) and
-        not staticTarget.fromSource()
-      )
+      result.asSummarizedCallable() = getStaticTargetExt(c)
     )
     or
     exists(Function f | call = TImplicitDerefCall(_, _, _, f) |

rust/ql/lib/codeql/rust/dataflow/internal/ModelsAsData.qll

@@ -111,25 +111,55 @@ predicate interpretModelForTest(QlBuiltins::ExtensionId madId, string model) {
   )
 }
 
-private class SummarizedCallableFromModel extends SummarizedCallable::Range {
-  private string path;
+private predicate summaryModel(
+  Function f, string input, string output, string kind, Provenance provenance, boolean isExact,
+  QlBuiltins::ExtensionId madId
+) {
+  exists(string path, Function f0 |
+    summaryModel(path, input, output, kind, provenance, madId) and
+    f0.getCanonicalPath() = path
+  |
+    f = f0 and
+    isExact = true
+    or
+    f.implements(f0) and
+    isExact = false
+  )
+}
 
-  SummarizedCallableFromModel() {
-    summaryModel(path, _, _, _, _, _) and
-    this.getCanonicalPath() = path
-  }
+private predicate summaryModelRelevant(
+  Function f, string input, string output, string kind, Provenance provenance,
+  QlBuiltins::ExtensionId madId
+) {
+  exists(boolean isExact | summaryModel(f, input, output, kind, provenance, isExact, madId) |
+    (
+      provenance.isManual()
+      or
+      provenance.isGenerated() and
+      not any(Provenance manual | summaryModel(f, _, _, _, manual, _, _)).isManual() and
+      not f.fromSource()
+    ) and
+    (
+      isExact = true
+      or
+      isExact = false and
+      not summaryModel(f, _, _, _, provenance, true, _)
+    )
+  )
+}
+
+private class SummarizedCallableFromModel extends SummarizedCallable::Range {
+  SummarizedCallableFromModel() { summaryModelRelevant(this, _, _, _, _, _) }
 
   override predicate hasProvenance(Provenance provenance) {
-    summaryModel(path, _, _, _, provenance, _)
+    summaryModelRelevant(this, _, _, _, provenance, _)
   }
 
-  private predicate hasManualModel() { summaryModel(path, _, _, _, "manual", _) }
-
   override predicate propagatesFlow(
     string input, string output, boolean preservesValue, string model
   ) {
     exists(string kind, string provenance, QlBuiltins::ExtensionId madId |
-      summaryModel(path, input, output, kind, provenance, madId) and
+      summaryModelRelevant(this, input, output, kind, provenance, madId) and
       model = "MaD:" + madId.toString() and
       (provenance = "manual" or not this.hasManualModel())
     |

rust/ql/lib/codeql/rust/frameworks/asyncstd/fs.model.yml

@@ -38,6 +38,6 @@ extensions:
       pack: codeql/rust-all
       extensible: summaryModel
     data:
-      - ["<async_std::path::pathbuf::PathBuf as core::ops::deref::Deref>::deref", "Argument[self].Reference", "ReturnValue.Reference", "taint", "manual"]
+      # - ["<async_std::path::pathbuf::PathBuf as core::ops::deref::Deref>::deref", "Argument[self].Reference", "ReturnValue.Reference", "taint", "manual"]
       - ["async_std::fs::canonicalize::canonicalize", "Argument[0].OptionalStep[normalize-path]", "ReturnValue.Future.Field[core::result::Result::Ok(0)]", "taint", "manual"]
       - ["async_std::fs::canonicalize::canonicalize", "Argument[0].OptionalBarrier[normalize-path]", "ReturnValue.Future.Field[core::result::Result::Ok(0)]", "taint", "manual"]

rust/ql/lib/codeql/rust/frameworks/stdlib/alloc.model.yml

@@ -47,7 +47,7 @@ extensions:
       - ["<core::alloc::layout::Layout>::pad_to_align", "Argument[self].Reference", "ReturnValue", "taint", "manual"]
       - ["<core::alloc::layout::Layout>::size", "Argument[self].Reference", "ReturnValue", "taint", "manual"]
       # String
-      - ["<alloc::string::String as core::ops::deref::Deref>::deref", "Argument[self].Reference", "ReturnValue.Reference", "taint", "manual"]
+      # - ["<alloc::string::String as core::ops::deref::Deref>::deref", "Argument[self].Reference", "ReturnValue.Reference", "taint", "manual"]
       - ["<alloc::string::String>::as_str", "Argument[self]", "ReturnValue", "value", "manual"]
       - ["<alloc::string::String>::as_bytes", "Argument[self]", "ReturnValue", "value", "manual"]
       - ["<_ as alloc::string::ToString>::to_string", "Argument[self].Reference", "ReturnValue", "taint", "manual"]

rust/ql/lib/codeql/rust/frameworks/stdlib/core.model.yml

@@ -6,6 +6,7 @@ extensions:
       # Builtin deref
       - ["<& as core::ops::deref::Deref>::deref", "Argument[self].Reference", "ReturnValue", "value", "manual"]
       - ["<&mut as core::ops::deref::Deref>::deref", "Argument[self].Reference", "ReturnValue", "value", "manual"]
+      - ["<_ as core::ops::deref::Deref>::deref", "Argument[self].Reference", "ReturnValue.Reference", "taint", "hq-generated"]
       # Index
       - ["<_ as core::ops::index::Index>::index", "Argument[self].Reference.Element", "ReturnValue.Reference", "value", "manual"]
       - ["<_ as core::ops::index::IndexMut>::index_mut", "Argument[self].Reference.Element", "ReturnValue.Reference", "value", "manual"]

rust/ql/lib/codeql/rust/frameworks/stdlib/fs.model.yml

@@ -58,7 +58,7 @@ extensions:
     data:
       - ["std::fs::canonicalize", "Argument[0].OptionalStep[normalize-path]", "ReturnValue.Field[core::result::Result::Ok(0)]", "taint", "manual"]
       - ["std::fs::canonicalize", "Argument[0].OptionalBarrier[normalize-path]", "ReturnValue.Field[core::result::Result::Ok(0)]", "taint", "manual"]
-      - ["<std::path::PathBuf as core::ops::deref::Deref>::deref", "Argument[self].Reference", "ReturnValue.Reference", "taint", "manual"]
+      # - ["<std::path::PathBuf as core::ops::deref::Deref>::deref", "Argument[self].Reference", "ReturnValue.Reference", "taint", "manual"]
       - ["<std::path::PathBuf>::as_path", "Argument[self].Reference", "ReturnValue.Reference", "value", "manual"]
       - ["<std::path::PathBuf>::as_mut_os_string", "Argument[Self].Reference", "ReturnValue.Reference", "value", "manual"]
       - ["<std::path::PathBuf>::into_os_string", "Argument[Self]", "ReturnValue", "value", "manual"]

rust/ql/test/library-tests/dataflow/global/viableCallable.expected

@@ -1,9 +1,9 @@
-| main.rs:2:5:2:12 | ... + ... | {EXTERNAL LOCATION} | fn add |
+| main.rs:2:5:2:12 | ... + ... | {EXTERNAL LOCATION} | [summarized] fn add |
 | main.rs:13:5:13:13 | source(...) | main.rs:1:1:3:1 | fn source |
 | main.rs:17:13:17:23 | get_data(...) | main.rs:12:1:14:1 | fn get_data |
 | main.rs:18:5:18:11 | sink(...) | main.rs:5:1:7:1 | fn sink |
-| main.rs:27:9:27:12 | [implicit deref call 0 in RefMut] self | {EXTERNAL LOCATION} | fn deref |
-| main.rs:31:9:31:12 | [implicit deref call 0 in Ref] self | {EXTERNAL LOCATION} | fn deref |
+| main.rs:27:9:27:12 | [implicit deref call 0 in RefMut] self | {EXTERNAL LOCATION} | [summarized] fn deref |
+| main.rs:31:9:31:12 | [implicit deref call 0 in Ref] self | {EXTERNAL LOCATION} | [summarized] fn deref |
 | main.rs:37:5:37:22 | sink(...) | main.rs:5:1:7:1 | fn sink |
 | main.rs:37:10:37:21 | a.get_data() | main.rs:30:5:32:5 | fn get_data |
 | main.rs:38:5:38:25 | a.set_data(...) | main.rs:26:5:28:5 | fn set_data |
@@ -62,33 +62,38 @@
 | main.rs:228:13:228:34 | ...::new(...) | main.rs:221:5:224:5 | fn new |
 | main.rs:228:24:228:33 | source(...) | main.rs:1:1:3:1 | fn source |
 | main.rs:230:5:230:11 | sink(...) | main.rs:5:1:7:1 | fn sink |
-| main.rs:244:9:244:12 | [implicit deref call 0 in RefMut] self | {EXTERNAL LOCATION} | fn deref |
-| main.rs:252:11:252:15 | * ... | {EXTERNAL LOCATION} | fn deref |
+| main.rs:244:9:244:12 | [implicit deref call 0 in RefMut] self | {EXTERNAL LOCATION} | [summarized] fn deref |
+| main.rs:252:11:252:15 | * ... | {EXTERNAL LOCATION} | [summarized] fn deref |
 | main.rs:258:28:258:36 | source(...) | main.rs:1:1:3:1 | fn source |
+| main.rs:260:13:260:17 | ... + ... | main.rs:236:5:239:5 | [summarized] fn add |
 | main.rs:260:13:260:17 | ... + ... | main.rs:236:5:239:5 | fn add |
 | main.rs:261:5:261:17 | sink(...) | main.rs:5:1:7:1 | fn sink |
 | main.rs:264:28:264:36 | source(...) | main.rs:1:1:3:1 | fn source |
+| main.rs:265:13:265:17 | ... + ... | main.rs:236:5:239:5 | [summarized] fn add |
 | main.rs:265:13:265:17 | ... + ... | main.rs:236:5:239:5 | fn add |
 | main.rs:266:5:266:17 | sink(...) | main.rs:5:1:7:1 | fn sink |
 | main.rs:268:28:268:36 | source(...) | main.rs:1:1:3:1 | fn source |
+| main.rs:270:13:270:20 | a.add(...) | main.rs:236:5:239:5 | [summarized] fn add |
 | main.rs:270:13:270:20 | a.add(...) | main.rs:236:5:239:5 | fn add |
 | main.rs:271:5:271:17 | sink(...) | main.rs:5:1:7:1 | fn sink |
 | main.rs:275:28:275:37 | source(...) | main.rs:1:1:3:1 | fn source |
+| main.rs:277:5:277:36 | ...::mul_assign(...) | main.rs:243:5:245:5 | [summarized] fn mul_assign |
 | main.rs:277:5:277:36 | ...::mul_assign(...) | main.rs:243:5:245:5 | fn mul_assign |
 | main.rs:278:5:278:17 | sink(...) | main.rs:5:1:7:1 | fn sink |
 | main.rs:281:28:281:37 | source(...) | main.rs:1:1:3:1 | fn source |
+| main.rs:282:5:282:10 | ... *= ... | main.rs:243:5:245:5 | [summarized] fn mul_assign |
 | main.rs:282:5:282:10 | ... *= ... | main.rs:243:5:245:5 | fn mul_assign |
 | main.rs:283:5:283:17 | sink(...) | main.rs:5:1:7:1 | fn sink |
 | main.rs:286:28:286:37 | source(...) | main.rs:1:1:3:1 | fn source |
-| main.rs:288:13:288:29 | * ... | {EXTERNAL LOCATION} | fn deref |
+| main.rs:288:13:288:29 | * ... | {EXTERNAL LOCATION} | [summarized] fn deref |
 | main.rs:288:14:288:29 | ...::deref(...) | main.rs:251:5:253:5 | fn deref |
 | main.rs:289:5:289:11 | sink(...) | main.rs:5:1:7:1 | fn sink |
 | main.rs:291:28:291:37 | source(...) | main.rs:1:1:3:1 | fn source |
 | main.rs:292:13:292:14 | * ... | main.rs:251:5:253:5 | fn deref |
 | main.rs:293:5:293:11 | sink(...) | main.rs:5:1:7:1 | fn sink |
 | main.rs:295:28:295:37 | source(...) | main.rs:1:1:3:1 | fn source |
 | main.rs:296:13:296:13 | [implicit deref call 0 in MyInt] a | main.rs:251:5:253:5 | fn deref |
-| main.rs:296:13:296:23 | a.min(...) | {EXTERNAL LOCATION} | fn min |
+| main.rs:296:13:296:23 | a.min(...) | {EXTERNAL LOCATION} | [summarized] fn min |
 | main.rs:297:5:297:11 | sink(...) | main.rs:5:1:7:1 | fn sink |
 | main.rs:319:28:319:36 | source(...) | main.rs:1:1:3:1 | fn source |
 | main.rs:321:30:321:54 | ...::take_self(...) | main.rs:309:5:311:5 | fn take_self |
@@ -106,14 +111,14 @@
 | main.rs:346:17:346:25 | source(...) | main.rs:1:1:3:1 | fn source |
 | main.rs:347:9:347:15 | sink(...) | main.rs:5:1:7:1 | fn sink |
 | main.rs:350:5:350:17 | sink(...) | main.rs:5:1:7:1 | fn sink |
-| main.rs:354:13:354:55 | ...::block_on(...) | {EXTERNAL LOCATION} | fn block_on |
+| main.rs:354:13:354:55 | ...::block_on(...) | {EXTERNAL LOCATION} | [summarized] fn block_on |
 | main.rs:354:41:354:54 | async_source(...) | main.rs:335:1:339:1 | fn async_source |
 | main.rs:355:5:355:11 | sink(...) | main.rs:5:1:7:1 | fn sink |
-| main.rs:357:5:357:62 | ...::block_on(...) | {EXTERNAL LOCATION} | fn block_on |
+| main.rs:357:5:357:62 | ...::block_on(...) | {EXTERNAL LOCATION} | [summarized] fn block_on |
 | main.rs:357:33:357:61 | test_async_await_async_part(...) | main.rs:341:1:351:1 | fn test_async_await_async_part |
 | main.rs:367:13:367:29 | self.get_number() | main.rs:378:9:380:9 | fn get_number |
 | main.rs:367:13:367:29 | self.get_number() | main.rs:386:9:388:9 | fn get_number |
-| main.rs:367:13:367:33 | ... * ... | {EXTERNAL LOCATION} | fn mul |
+| main.rs:367:13:367:33 | ... * ... | {EXTERNAL LOCATION} | [summarized] fn mul |
 | main.rs:371:13:371:21 | source(...) | main.rs:1:1:3:1 | fn source |
 | main.rs:379:13:379:21 | source(...) | main.rs:1:1:3:1 | fn source |
 | main.rs:391:13:391:22 | source(...) | main.rs:1:1:3:1 | fn source |