Rust: Don't apply generated models for functions that have a manual model

2026-04-26 17:25:19 +02:00 · 2025-12-15 14:25:49 +01:00
parent d2cfd53933
commit 1b70111dd2
3 changed files with 10 additions and 24 deletions
--- a/rust/ql/lib/codeql/rust/dataflow/internal/ModelsAsData.qll
+++ b/rust/ql/lib/codeql/rust/dataflow/internal/ModelsAsData.qll
@@ -123,12 +123,15 @@ private class SummarizedCallableFromModel extends SummarizedCallable::Range {
    summaryModel(path, _, _, _, provenance, _)
  }

+  private predicate hasManualModel() { summaryModel(path, _, _, _, "manual", _) }
+
  override predicate propagatesFlow(
    string input, string output, boolean preservesValue, string model
  ) {
-    exists(string kind, QlBuiltins::ExtensionId madId |
-      summaryModel(path, input, output, kind, _, madId) and
-      model = "MaD:" + madId.toString()
+    exists(string kind, string provenance, QlBuiltins::ExtensionId madId |
+      summaryModel(path, input, output, kind, provenance, madId) and
+      model = "MaD:" + madId.toString() and
+      (provenance = "manual" or not this.hasManualModel())
    |
      kind = "value" and
      preservesValue = true
--- a/rust/ql/test/library-tests/dataflow/models/main.rs
+++ b/rust/ql/test/library-tests/dataflow/models/main.rs
@@ -42,7 +42,7 @@ fn test_snd() {
    sink(snd(0, s1)); // $ hasValueFlow=99

    let s2 = source(88);
-    sink(snd(s2, 0)); // $ SPURIOUS: hasValueFlow=88
+    sink(snd(s2, 0));
 }

 // has a flow model
--- a/rust/ql/test/library-tests/dataflow/models/models.expected
+++ b/rust/ql/test/library-tests/dataflow/models/models.expected
@@ -24,8 +24,7 @@ models
 | 23 | Summary: main::set_tuple_element; Argument[0]; ReturnValue.Field[1]; value |
 | 24 | Summary: main::set_var_field; Argument[0]; ReturnValue.Field[main::MyFieldEnum::D::field_d]; value |
 | 25 | Summary: main::set_var_pos; Argument[0]; ReturnValue.Field[main::MyPosEnum::B(0)]; value |
-| 26 | Summary: main::snd; Argument[0]; ReturnValue; value |
-| 27 | Summary: main::snd; Argument[1]; ReturnValue; value |
+| 26 | Summary: main::snd; Argument[1]; ReturnValue; value |
 edges
 | main.rs:15:9:15:9 | s | main.rs:16:19:16:19 | s | provenance |  |
 | main.rs:15:9:15:9 | s | main.rs:16:19:16:19 | s | provenance |  |
@@ -40,14 +39,8 @@ edges
 | main.rs:41:9:41:10 | s1 | main.rs:42:17:42:18 | s1 | provenance |  |
 | main.rs:41:14:41:23 | source(...) | main.rs:41:9:41:10 | s1 | provenance |  |
 | main.rs:41:14:41:23 | source(...) | main.rs:41:9:41:10 | s1 | provenance |  |
-| main.rs:42:17:42:18 | s1 | main.rs:42:10:42:19 | snd(...) | provenance | MaD:27 |
-| main.rs:42:17:42:18 | s1 | main.rs:42:10:42:19 | snd(...) | provenance | MaD:27 |
-| main.rs:44:9:44:10 | s2 | main.rs:45:14:45:15 | s2 | provenance |  |
-| main.rs:44:9:44:10 | s2 | main.rs:45:14:45:15 | s2 | provenance |  |
-| main.rs:44:14:44:23 | source(...) | main.rs:44:9:44:10 | s2 | provenance |  |
-| main.rs:44:14:44:23 | source(...) | main.rs:44:9:44:10 | s2 | provenance |  |
-| main.rs:45:14:45:15 | s2 | main.rs:45:10:45:19 | snd(...) | provenance | MaD:26 |
-| main.rs:45:14:45:15 | s2 | main.rs:45:10:45:19 | snd(...) | provenance | MaD:26 |
+| main.rs:42:17:42:18 | s1 | main.rs:42:10:42:19 | snd(...) | provenance | MaD:26 |
+| main.rs:42:17:42:18 | s1 | main.rs:42:10:42:19 | snd(...) | provenance | MaD:26 |
 | main.rs:54:9:54:9 | s | main.rs:55:27:55:27 | s | provenance |  |
 | main.rs:54:9:54:9 | s | main.rs:55:27:55:27 | s | provenance |  |
 | main.rs:54:13:54:21 | source(...) | main.rs:54:9:54:9 | s | provenance |  |
@@ -347,14 +340,6 @@ nodes
 | main.rs:42:10:42:19 | snd(...) | semmle.label | snd(...) |
 | main.rs:42:17:42:18 | s1 | semmle.label | s1 |
 | main.rs:42:17:42:18 | s1 | semmle.label | s1 |
-| main.rs:44:9:44:10 | s2 | semmle.label | s2 |
-| main.rs:44:9:44:10 | s2 | semmle.label | s2 |
-| main.rs:44:14:44:23 | source(...) | semmle.label | source(...) |
-| main.rs:44:14:44:23 | source(...) | semmle.label | source(...) |
-| main.rs:45:10:45:19 | snd(...) | semmle.label | snd(...) |
-| main.rs:45:10:45:19 | snd(...) | semmle.label | snd(...) |
-| main.rs:45:14:45:15 | s2 | semmle.label | s2 |
-| main.rs:45:14:45:15 | s2 | semmle.label | s2 |
 | main.rs:54:9:54:9 | s | semmle.label | s |
 | main.rs:54:9:54:9 | s | semmle.label | s |
 | main.rs:54:13:54:21 | source(...) | semmle.label | source(...) |
@@ -700,8 +685,6 @@ invalidSpecComponent
 | main.rs:26:10:26:18 | coerce(...) | main.rs:25:13:25:22 | source(...) | main.rs:26:10:26:18 | coerce(...) | $@ | main.rs:25:13:25:22 | source(...) | source(...) |
 | main.rs:42:10:42:19 | snd(...) | main.rs:41:14:41:23 | source(...) | main.rs:42:10:42:19 | snd(...) | $@ | main.rs:41:14:41:23 | source(...) | source(...) |
 | main.rs:42:10:42:19 | snd(...) | main.rs:41:14:41:23 | source(...) | main.rs:42:10:42:19 | snd(...) | $@ | main.rs:41:14:41:23 | source(...) | source(...) |
-| main.rs:45:10:45:19 | snd(...) | main.rs:44:14:44:23 | source(...) | main.rs:45:10:45:19 | snd(...) | $@ | main.rs:44:14:44:23 | source(...) | source(...) |
-| main.rs:45:10:45:19 | snd(...) | main.rs:44:14:44:23 | source(...) | main.rs:45:10:45:19 | snd(...) | $@ | main.rs:44:14:44:23 | source(...) | source(...) |
 | main.rs:56:10:56:24 | get_var_pos(...) | main.rs:54:13:54:21 | source(...) | main.rs:56:10:56:24 | get_var_pos(...) | $@ | main.rs:54:13:54:21 | source(...) | source(...) |
 | main.rs:56:10:56:24 | get_var_pos(...) | main.rs:54:13:54:21 | source(...) | main.rs:56:10:56:24 | get_var_pos(...) | $@ | main.rs:54:13:54:21 | source(...) | source(...) |
 | main.rs:71:33:71:33 | i | main.rs:67:13:67:21 | source(...) | main.rs:71:33:71:33 | i | $@ | main.rs:67:13:67:21 | source(...) | source(...) |