hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-26 01:05:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

Rust: Handle writes to references and add encoding of reference content

Browse Source
This commit is contained in:
Simon Friis Vindum
2025-02-07 13:53:17 +01:00
parent 11685a820f
commit 11055760a4
9 changed files with 69 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll
View File

@@ -1211,6 +1211,17 @@ module RustDataFlow implements InputSig<Location> {
)
}
pragma[nomagic]
private predicate referenceAssignment(Node node1, Node node2, ReferenceContent c) {
exists(AssignmentExprCfgNode assignment, PrefixExprCfgNode deref |
assignment.getLhs() = deref and
deref.getOperatorName() = "*" and
node1.asExpr() = assignment.getRhs() and
node2.asExpr() = deref.getExpr() and
exists(c)
)
}
pragma[nomagic]
private predicate storeContentStep(Node node1, Content c, Node node2) {
exists(CallExprCfgNode call, int pos |
@@ -1242,6 +1253,8 @@ module RustDataFlow implements InputSig<Location> {
or
fieldAssignment(node1, node2.(PostUpdateNode).getPreUpdateNode(), c)
or
referenceAssignment(node1, node2.(PostUpdateNode).getPreUpdateNode(), c)
or
exists(AssignmentExprCfgNode assignment, IndexExprCfgNode index |
c instanceof ElementContent and
assignment.getLhs() = index and
@@ -1285,6 +1298,8 @@ module RustDataFlow implements InputSig<Location> {
predicate clearsContent(Node n, ContentSet cs) {
fieldAssignment(_, n, cs.(SingletonContentSet).getContent())
or
referenceAssignment(_, n, cs.(SingletonContentSet).getContent())
or
FlowSummaryImpl::Private::Steps::summaryClearsContent(n.(Node::FlowSummaryNode).getSummaryNode(),
cs)
or

4
rust/ql/lib/codeql/rust/dataflow/internal/FlowSummaryImpl.qll
View File

@@ -89,6 +89,10 @@ module Input implements InputSig<Location, RustDataFlow> {
arg = v.getExtendedCanonicalPath() + "(" + v.getPosition() + ")"
)
or
result = "Reference" and
c = TReferenceContent() and
arg = ""
or
result = "Element" and
c = TElementContent() and
arg = ""

5
rust/ql/src/utils/modelgenerator/internal/CaptureModels.qll
View File

@@ -81,9 +81,8 @@ module ModelGeneratorInput implements ModelGeneratorInputSig<Location, RustDataF
}
bindingset[c]
string paramReturnNodeAsOutput(R::Callable c, ParameterPosition pos) {
// TODO: Implement this to support returning through parameters.
result = "paramReturnNodeAsOutput(" + c + ", " + pos + ")"
string paramReturnNodeAsOutput(Callable c, ParameterPosition pos) {
result = paramReturnNodeAsContentOutput(c, pos)
}
bindingset[c]

17
rust/ql/test/library-tests/dataflow/global/inline-flow.expected
View File

@@ -42,6 +42,13 @@ edges
| main.rs:101:13:101:30 | mn.data_through(...) | main.rs:101:9:101:9 | b | provenance | |
| main.rs:101:29:101:29 | a | main.rs:77:28:77:33 | ...: i64 | provenance | |
| main.rs:101:29:101:29 | a | main.rs:101:13:101:30 | mn.data_through(...) | provenance | |
| main.rs:139:25:139:30 | ...: i64 | main.rs:140:10:140:10 | c | provenance | |
| main.rs:140:6:140:6 | [post] n [&ref] | main.rs:139:12:139:22 | ...: ... [Return] [&ref] | provenance | |
| main.rs:140:10:140:10 | c | main.rs:140:6:140:6 | [post] n [&ref] | provenance | |
| main.rs:148:13:148:13 | [post] m [&ref] | main.rs:149:11:149:11 | m [&ref] | provenance | |
| main.rs:148:16:148:25 | source(...) | main.rs:139:25:139:30 | ...: i64 | provenance | |
| main.rs:148:16:148:25 | source(...) | main.rs:148:13:148:13 | [post] m [&ref] | provenance | |
| main.rs:149:11:149:11 | m [&ref] | main.rs:149:10:149:11 | * ... | provenance | |
nodes
| main.rs:12:28:14:1 | { ... } | semmle.label | { ... } |
| main.rs:13:5:13:13 | source(...) | semmle.label | source(...) |
@@ -92,11 +99,20 @@ nodes
| main.rs:101:13:101:30 | mn.data_through(...) | semmle.label | mn.data_through(...) |
| main.rs:101:29:101:29 | a | semmle.label | a |
| main.rs:102:10:102:10 | b | semmle.label | b |
| main.rs:139:12:139:22 | ...: ... [Return] [&ref] | semmle.label | ...: ... [Return] [&ref] |
| main.rs:139:25:139:30 | ...: i64 | semmle.label | ...: i64 |
| main.rs:140:6:140:6 | [post] n [&ref] | semmle.label | [post] n [&ref] |
| main.rs:140:10:140:10 | c | semmle.label | c |
| main.rs:148:13:148:13 | [post] m [&ref] | semmle.label | [post] m [&ref] |
| main.rs:148:16:148:25 | source(...) | semmle.label | source(...) |
| main.rs:149:10:149:11 | * ... | semmle.label | * ... |
| main.rs:149:11:149:11 | m [&ref] | semmle.label | m [&ref] |
subpaths
| main.rs:36:26:36:26 | a | main.rs:30:17:30:22 | ...: i64 | main.rs:30:32:32:1 | { ... } | main.rs:36:13:36:27 | pass_through(...) |
| main.rs:41:26:44:5 | { ... } | main.rs:30:17:30:22 | ...: i64 | main.rs:30:32:32:1 | { ... } | main.rs:41:13:44:6 | pass_through(...) |
| main.rs:55:26:55:26 | a | main.rs:51:21:51:26 | ...: i64 | main.rs:51:36:53:5 | { ... } | main.rs:55:13:55:27 | pass_through(...) |
| main.rs:101:29:101:29 | a | main.rs:77:28:77:33 | ...: i64 | main.rs:77:43:83:5 | { ... } | main.rs:101:13:101:30 | mn.data_through(...) |
| main.rs:148:16:148:25 | source(...) | main.rs:139:25:139:30 | ...: i64 | main.rs:139:12:139:22 | ...: ... [Return] [&ref] | main.rs:148:13:148:13 | [post] m [&ref] |
testFailures
#select
| main.rs:18:10:18:10 | a | main.rs:13:5:13:13 | source(...) | main.rs:18:10:18:10 | a | $@ | main.rs:13:5:13:13 | source(...) | source(...) |
@@ -107,3 +123,4 @@ testFailures
| main.rs:68:14:68:14 | n | main.rs:94:13:94:21 | source(...) | main.rs:68:14:68:14 | n | $@ | main.rs:94:13:94:21 | source(...) | source(...) |
| main.rs:89:10:89:10 | a | main.rs:74:13:74:21 | source(...) | main.rs:89:10:89:10 | a | $@ | main.rs:74:13:74:21 | source(...) | source(...) |
| main.rs:102:10:102:10 | b | main.rs:100:13:100:21 | source(...) | main.rs:102:10:102:10 | b | $@ | main.rs:100:13:100:21 | source(...) | source(...) |
| main.rs:149:10:149:11 | * ... | main.rs:148:16:148:25 | source(...) | main.rs:149:10:149:11 | * ... | $@ | main.rs:148:16:148:25 | source(...) | source(...) |

2
rust/ql/test/library-tests/dataflow/global/main.rs
View File

@@ -146,7 +146,7 @@ fn mutates_argument_1() {
let m = &mut n;
sink(*m);
set_int(m, source(37));
sink(*m); // $ MISSING: hasValueFlow=37
sink(*m); // $ hasValueFlow=37
}
fn mutates_argument_2() {

8
rust/ql/test/library-tests/dataflow/pointers/inline-flow.expected
View File

@@ -8,6 +8,9 @@ edges
| main.rs:15:9:15:9 | c | main.rs:16:10:16:10 | c | provenance | |
| main.rs:15:13:15:14 | * ... | main.rs:15:9:15:9 | c | provenance | |
| main.rs:15:14:15:14 | b [&ref] | main.rs:15:13:15:14 | * ... | provenance | |
| main.rs:31:6:31:6 | [post] b [&ref] | main.rs:32:11:32:11 | b [&ref] | provenance | |
| main.rs:31:10:31:19 | source(...) | main.rs:31:6:31:6 | [post] b [&ref] | provenance | |
| main.rs:32:11:32:11 | b [&ref] | main.rs:32:10:32:11 | * ... | provenance | |
| main.rs:37:25:37:26 | &... [&ref] | main.rs:37:26:37:26 | n | provenance | |
| main.rs:37:25:37:32 | ...: ... [&ref] | main.rs:37:25:37:26 | &... [&ref] | provenance | |
| main.rs:37:26:37:26 | n | main.rs:38:10:38:10 | n | provenance | |
@@ -54,6 +57,10 @@ nodes
| main.rs:15:13:15:14 | * ... | semmle.label | * ... |
| main.rs:15:14:15:14 | b [&ref] | semmle.label | b [&ref] |
| main.rs:16:10:16:10 | c | semmle.label | c |
| main.rs:31:6:31:6 | [post] b [&ref] | semmle.label | [post] b [&ref] |
| main.rs:31:10:31:19 | source(...) | semmle.label | source(...) |
| main.rs:32:10:32:11 | * ... | semmle.label | * ... |
| main.rs:32:11:32:11 | b [&ref] | semmle.label | b [&ref] |
| main.rs:37:25:37:26 | &... [&ref] | semmle.label | &... [&ref] |
| main.rs:37:25:37:32 | ...: ... [&ref] | semmle.label | ...: ... [&ref] |
| main.rs:37:26:37:26 | n | semmle.label | n |
@@ -100,6 +107,7 @@ subpaths
testFailures
#select
| main.rs:16:10:16:10 | c | main.rs:13:13:13:22 | source(...) | main.rs:16:10:16:10 | c | $@ | main.rs:13:13:13:22 | source(...) | source(...) |
| main.rs:32:10:32:11 | * ... | main.rs:31:10:31:19 | source(...) | main.rs:32:10:32:11 | * ... | $@ | main.rs:31:10:31:19 | source(...) | source(...) |
| main.rs:38:10:38:10 | n | main.rs:42:15:42:24 | source(...) | main.rs:38:10:38:10 | n | $@ | main.rs:42:15:42:24 | source(...) | source(...) |
| main.rs:70:10:70:30 | my_number.to_number(...) | main.rs:69:40:69:49 | source(...) | main.rs:70:10:70:30 | my_number.to_number(...) | $@ | main.rs:69:40:69:49 | source(...) | source(...) |
| main.rs:80:10:80:31 | my_number.get_number(...) | main.rs:79:41:79:50 | source(...) | main.rs:80:10:80:31 | my_number.get_number(...) | $@ | main.rs:79:41:79:50 | source(...) | source(...) |

2
rust/ql/test/library-tests/dataflow/pointers/main.rs
View File

@@ -29,7 +29,7 @@ fn write_and_read_through_borrow() {
let b = &mut a;
sink(*b);
*b = source(37);
sink(*b); // $ MISSING: hasValueFlow=37
sink(*b); // $ hasValueFlow=37
*b = 0;
sink(*b); // now cleared
}

32
rust/ql/test/utils-tests/modelgenerator/option.rs
View File

@@ -44,7 +44,9 @@ impl<T> MyOption<T> {
}
}
// summary=repo::test;<crate::option::MyOption>::as_ref;Argument[self].Variant[crate::option::MyOption::MySome(0)];ReturnValue.Variant[crate::option::MyOption::MySome(0)];value;dfc-generated
// NOTE: The returned value inside the variant should be inside a `Reference`, requires handling
// `ref` in patterns.
// summary=repo::test;<crate::option::MyOption>::as_ref;Argument[self].Reference.Variant[crate::option::MyOption::MySome(0)];ReturnValue.Variant[crate::option::MyOption::MySome(0)];value;dfc-generated
pub fn as_ref(&self) -> MyOption<&T> {
match *self {
MySome(ref x) => MySome(x),
@@ -52,7 +54,7 @@ impl<T> MyOption<T> {
}
}
// summary=repo::test;<crate::option::MyOption>::as_mut;Argument[self].Variant[crate::option::MyOption::MySome(0)];ReturnValue.Variant[crate::option::MyOption::MySome(0)];value;dfc-generated
// summary=repo::test;<crate::option::MyOption>::as_mut;Argument[self].Reference.Variant[crate::option::MyOption::MySome(0)];ReturnValue.Variant[crate::option::MyOption::MySome(0)];value;dfc-generated
pub fn as_mut(&mut self) -> MyOption<&mut T> {
match *self {
MySome(ref mut x) => MySome(x),
@@ -285,8 +287,11 @@ impl<T> MyOption<T> {
}
}
// MISSING: summary=repo::test;<crate::option::MyOption>::insert;Argument[0];ReturnValue;value;dfc-generated
// SPURIOUS-summary=repo::test;<crate::option::MyOption>::insert;Argument[self].Variant[crate::option::MyOption::MySome(0)];ReturnValue;value;dfc-generated
// summary=repo::test;<crate::option::MyOption>::insert;Argument[0];Argument[self].Reference.Variant[crate::option::MyOption::MySome(0)];value;dfc-generated
// The below should be `ReturnValue.Reference` and not just `ReturnValue`.
// SPURIOUS-summary=repo::test;<crate::option::MyOption>::insert;Argument[0];ReturnValue;value;dfc-generated
// The content of `self` is overwritten so it does not flow to the return value.
// SPURIOUS-summary=repo::test;<crate::option::MyOption>::insert;Argument[self].Reference.Variant[crate::option::MyOption::MySome(0)];ReturnValue;value;dfc-generated
pub fn insert(&mut self, value: T) -> &mut T {
*self = MySome(value);
@@ -294,13 +299,14 @@ impl<T> MyOption<T> {
unsafe { self.as_mut().unwrap_unchecked() }
}
// summary=repo::test;<crate::option::MyOption>::get_or_insert;Argument[self].Variant[crate::option::MyOption::MySome(0)];ReturnValue;value;dfc-generated
// MISSING: repo::test;<crate::option::MyOption>::get_or_insert;Argument[0];ReturnValue;value;dfc-generated
// summary=repo::test;<crate::option::MyOption>::get_or_insert;Argument[0];Argument[self].Reference.Variant[crate::option::MyOption::MySome(0)];value;dfc-generated
// summary=repo::test;<crate::option::MyOption>::get_or_insert;Argument[0];ReturnValue;value;dfc-generated
// summary=repo::test;<crate::option::MyOption>::get_or_insert;Argument[self].Reference.Variant[crate::option::MyOption::MySome(0)];ReturnValue;value;dfc-generated
pub fn get_or_insert(&mut self, value: T) -> &mut T {
self.get_or_insert_with(|| value)
}
// summary=repo::test;<crate::option::MyOption>::get_or_insert_default;Argument[self].Variant[crate::option::MyOption::MySome(0)];ReturnValue;value;dfc-generated
// summary=repo::test;<crate::option::MyOption>::get_or_insert_default;Argument[self].Reference.Variant[crate::option::MyOption::MySome(0)];ReturnValue;value;dfc-generated
pub fn get_or_insert_default(&mut self) -> &mut T
where
T: Default,
@@ -308,7 +314,7 @@ impl<T> MyOption<T> {
self.get_or_insert_with(T::default)
}
// summary=repo::test;<crate::option::MyOption>::get_or_insert_with;Argument[self].Variant[crate::option::MyOption::MySome(0)];ReturnValue;value;dfc-generated
// summary=repo::test;<crate::option::MyOption>::get_or_insert_with;Argument[self].Reference.Variant[crate::option::MyOption::MySome(0)];ReturnValue;value;dfc-generated
// MISSING: Mutating `self` parameter.
pub fn get_or_insert_with<F>(&mut self, f: F) -> &mut T
where
@@ -329,7 +335,7 @@ impl<T> MyOption<T> {
mem::replace(self, MyNone)
}
// summary=repo::test;<crate::option::MyOption>::take_if;Argument[self].Variant[crate::option::MyOption::MySome(0)];Argument[0].Parameter[0];value;dfc-generated
// summary=repo::test;<crate::option::MyOption>::take_if;Argument[self].Reference.Variant[crate::option::MyOption::MySome(0)];Argument[0].Parameter[0];value;dfc-generated
// MISSING: Uses `take` which doesn't have flow
pub fn take_if<P>(&mut self, predicate: P) -> MyOption<T>
where
@@ -378,7 +384,7 @@ impl<T, U> MyOption<(T, U)> {
}
impl<T> MyOption<&T> {
// summary=repo::test;<crate::option::MyOption>::copied;Argument[self].Variant[crate::option::MyOption::MySome(0)];ReturnValue.Variant[crate::option::MyOption::MySome(0)];value;dfc-generated
// summary=repo::test;<crate::option::MyOption>::copied;Argument[self].Variant[crate::option::MyOption::MySome(0)].Reference;ReturnValue.Variant[crate::option::MyOption::MySome(0)];value;dfc-generated
pub fn copied(self) -> MyOption<T>
where
T: Copy,
@@ -404,7 +410,7 @@ impl<T> MyOption<&T> {
}
impl<T> MyOption<&mut T> {
// summary=repo::test;<crate::option::MyOption>::copied;Argument[self].Variant[crate::option::MyOption::MySome(0)];ReturnValue.Variant[crate::option::MyOption::MySome(0)];value;dfc-generated
// summary=repo::test;<crate::option::MyOption>::copied;Argument[self].Variant[crate::option::MyOption::MySome(0)].Reference;ReturnValue.Variant[crate::option::MyOption::MySome(0)];value;dfc-generated
pub fn copied(self) -> MyOption<T>
where
T: Copy,
@@ -474,14 +480,14 @@ impl<T> From<T> for MyOption<T> {
}
impl<'a, T> From<&'a MyOption<T>> for MyOption<&'a T> {
// summary=repo::test;<crate::option::MyOption as crate::convert::From>::from;Argument[0].Variant[crate::option::MyOption::MySome(0)];ReturnValue.Variant[crate::option::MyOption::MySome(0)];value;dfc-generated
// summary=repo::test;<crate::option::MyOption as crate::convert::From>::from;Argument[0].Reference.Variant[crate::option::MyOption::MySome(0)];ReturnValue.Variant[crate::option::MyOption::MySome(0)];value;dfc-generated
fn from(o: &'a MyOption<T>) -> MyOption<&'a T> {
o.as_ref()
}
}
impl<'a, T> From<&'a mut MyOption<T>> for MyOption<&'a mut T> {
// summary=repo::test;<crate::option::MyOption as crate::convert::From>::from;Argument[0].Variant[crate::option::MyOption::MySome(0)];ReturnValue.Variant[crate::option::MyOption::MySome(0)];value;dfc-generated
// summary=repo::test;<crate::option::MyOption as crate::convert::From>::from;Argument[0].Reference.Variant[crate::option::MyOption::MySome(0)];ReturnValue.Variant[crate::option::MyOption::MySome(0)];value;dfc-generated
fn from(o: &'a mut MyOption<T>) -> MyOption<&'a mut T> {
o.as_mut()
}

3
rust/ql/test/utils-tests/modelgenerator/summaries.rs
View File

@@ -79,11 +79,12 @@ pub fn apply<F>(n: i64, f: F) -> i64 where F : FnOnce(i64) -> i64 {
// Flow out of mutated arguments
// summary=repo::test;crate::summaries::set_int;Argument[1];Argument[0].Reference;value;dfc-generated
pub fn set_int(n: &mut i64, c: i64) {
*n = c;
}
// summary=repo::test;crate::summaries::read_int;Argument[0];ReturnValue;value;dfc-generated
// summary=repo::test;crate::summaries::read_int;Argument[0].Reference;ReturnValue;value;dfc-generated
pub fn read_int(n: &mut i64) -> i64 {
*n
}