Rust: Handle functions as lambdas

2026-04-26 17:25:19 +02:00 · 2025-09-29 14:49:04 +02:00
parent 0728692e93
commit 37ffe82ac9
4 changed files with 52 additions and 15 deletions
--- a/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll
+++ b/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll
@@ -295,13 +295,10 @@ module LocalFlow {
 class LambdaCallKind = Unit;

 /** Holds if `creation` is an expression that creates a lambda of kind `kind`. */
-predicate lambdaCreationExpr(Expr creation, LambdaCallKind kind) {
-  (
-    creation instanceof ClosureExpr
-    or
-    creation instanceof Scope::AsyncBlockScope
-  ) and
-  exists(kind)
+predicate lambdaCreationExpr(Expr creation) {
+  creation instanceof ClosureExpr
+  or
+  creation instanceof Scope::AsyncBlockScope
 }

 /**
@@ -810,8 +807,15 @@ module RustDataFlow implements InputSig<Location> {

  /** Holds if `creation` is an expression that creates a lambda of kind `kind` for `c`. */
  predicate lambdaCreation(Node creation, LambdaCallKind kind, DataFlowCallable c) {
-    exists(Expr e |
-      e = creation.asExpr().getExpr() and lambdaCreationExpr(e, kind) and e = c.asCfgScope()
+    exists(kind) and
+    exists(Expr e | e = creation.asExpr().getExpr() |
+      lambdaCreationExpr(e) and e = c.asCfgScope()
+      or
+      // A path expression, that resolves to a function, evaluates to a function
+      // pointer. Except if the path occurs directly in a call, then it's just a
+      // call to the function and not a function being passed as data.
+      resolvePath(e.(PathExpr).getPath()) = c.asCfgScope() and
+      not any(CallExpr call).getFunction() = e
    )
  }

@@ -931,7 +935,7 @@ module VariableCapture {
    }

    class ClosureExpr extends Expr instanceof ExprCfgNode {
-      ClosureExpr() { lambdaCreationExpr(super.getExpr(), _) }
+      ClosureExpr() { lambdaCreationExpr(super.getExpr()) }

      predicate hasBody(Callable body) { body = super.getExpr() }

--- a/rust/ql/lib/codeql/rust/dataflow/internal/Node.qll
+++ b/rust/ql/lib/codeql/rust/dataflow/internal/Node.qll
@@ -454,7 +454,7 @@ newtype TNode =
    or
    lambdaCallExpr(_, _, e)
    or
-    lambdaCreationExpr(e.getExpr(), _)
+    lambdaCreationExpr(e.getExpr())
    or
    // Whenever `&mut e` has a post-update node we also create one for `e`.
    // E.g., for `e` in `f(..., &mut e, ...)` or `*(&mut e) = ...`.
@@ -478,5 +478,5 @@ newtype TNode =
  } or
  TSsaNode(SsaImpl::DataFlowIntegration::SsaNode node) or
  TFlowSummaryNode(FlowSummaryImpl::Private::SummaryNode sn) or
-  TClosureSelfReferenceNode(CfgScope c) { lambdaCreationExpr(c, _) } or
+  TClosureSelfReferenceNode(CfgScope c) { lambdaCreationExpr(c) } or
  TCaptureNode(VariableCapture::Flow::SynthesizedCaptureNode cn)
--- a/rust/ql/test/library-tests/dataflow/lambdas/inline-flow.expected
+++ b/rust/ql/test/library-tests/dataflow/lambdas/inline-flow.expected
@@ -17,6 +17,19 @@ edges
 | main.rs:39:5:39:5 | [post] f [captured capt] | main.rs:40:10:40:13 | capt | provenance |  |
 | main.rs:39:5:39:5 | [post] f [captured capt] | main.rs:44:5:44:5 | g [captured capt] | provenance |  |
 | main.rs:44:5:44:5 | g [captured capt] | main.rs:42:14:42:17 | capt | provenance |  |
+| main.rs:47:29:49:1 | { ... } | main.rs:57:10:57:12 | f(...) | provenance |  |
+| main.rs:48:5:48:14 | source(...) | main.rs:47:29:49:1 | { ... } | provenance |  |
+| main.rs:51:17:51:25 | ...: i64 | main.rs:52:10:52:13 | data | provenance |  |
+| main.rs:62:9:62:9 | a | main.rs:63:7:63:7 | a | provenance |  |
+| main.rs:62:13:62:22 | source(...) | main.rs:62:9:62:9 | a | provenance |  |
+| main.rs:63:7:63:7 | a | main.rs:51:17:51:25 | ...: i64 | provenance |  |
+| main.rs:66:24:66:32 | ...: i64 | main.rs:66:42:72:1 | { ... } | provenance |  |
+| main.rs:76:9:76:9 | a | main.rs:77:21:77:21 | a | provenance |  |
+| main.rs:76:13:76:22 | source(...) | main.rs:76:9:76:9 | a | provenance |  |
+| main.rs:77:9:77:9 | b | main.rs:78:10:78:10 | b | provenance |  |
+| main.rs:77:13:77:22 | f(...) | main.rs:77:9:77:9 | b | provenance |  |
+| main.rs:77:21:77:21 | a | main.rs:66:24:66:32 | ...: i64 | provenance |  |
+| main.rs:77:21:77:21 | a | main.rs:77:13:77:22 | f(...) | provenance |  |
 nodes
 | main.rs:10:20:10:52 | if cond {...} else {...} | semmle.label | if cond {...} else {...} |
 | main.rs:10:30:10:39 | source(...) | semmle.label | source(...) |
@@ -39,8 +52,25 @@ nodes
 | main.rs:40:10:40:13 | capt | semmle.label | capt |
 | main.rs:42:14:42:17 | capt | semmle.label | capt |
 | main.rs:44:5:44:5 | g [captured capt] | semmle.label | g [captured capt] |
+| main.rs:47:29:49:1 | { ... } | semmle.label | { ... } |
+| main.rs:48:5:48:14 | source(...) | semmle.label | source(...) |
+| main.rs:51:17:51:25 | ...: i64 | semmle.label | ...: i64 |
+| main.rs:52:10:52:13 | data | semmle.label | data |
+| main.rs:57:10:57:12 | f(...) | semmle.label | f(...) |
+| main.rs:62:9:62:9 | a | semmle.label | a |
+| main.rs:62:13:62:22 | source(...) | semmle.label | source(...) |
+| main.rs:63:7:63:7 | a | semmle.label | a |
+| main.rs:66:24:66:32 | ...: i64 | semmle.label | ...: i64 |
+| main.rs:66:42:72:1 | { ... } | semmle.label | { ... } |
+| main.rs:76:9:76:9 | a | semmle.label | a |
+| main.rs:76:13:76:22 | source(...) | semmle.label | source(...) |
+| main.rs:77:9:77:9 | b | semmle.label | b |
+| main.rs:77:13:77:22 | f(...) | semmle.label | f(...) |
+| main.rs:77:21:77:21 | a | semmle.label | a |
+| main.rs:78:10:78:10 | b | semmle.label | b |
 subpaths
 | main.rs:29:21:29:21 | a | main.rs:27:20:27:23 | ... | main.rs:27:26:27:52 | if cond {...} else {...} | main.rs:29:13:29:22 | f(...) |
+| main.rs:77:21:77:21 | a | main.rs:66:24:66:32 | ...: i64 | main.rs:66:42:72:1 | { ... } | main.rs:77:13:77:22 | f(...) |
 testFailures
 #select
 | main.rs:11:10:11:16 | f(...) | main.rs:10:30:10:39 | source(...) | main.rs:11:10:11:16 | f(...) | $@ | main.rs:10:30:10:39 | source(...) | source(...) |
@@ -48,3 +78,6 @@ testFailures
 | main.rs:30:10:30:10 | b | main.rs:28:13:28:22 | source(...) | main.rs:30:10:30:10 | b | $@ | main.rs:28:13:28:22 | source(...) | source(...) |
 | main.rs:40:10:40:13 | capt | main.rs:37:16:37:25 | source(...) | main.rs:40:10:40:13 | capt | $@ | main.rs:37:16:37:25 | source(...) | source(...) |
 | main.rs:42:14:42:17 | capt | main.rs:37:16:37:25 | source(...) | main.rs:42:14:42:17 | capt | $@ | main.rs:37:16:37:25 | source(...) | source(...) |
+| main.rs:52:10:52:13 | data | main.rs:62:13:62:22 | source(...) | main.rs:52:10:52:13 | data | $@ | main.rs:62:13:62:22 | source(...) | source(...) |
+| main.rs:57:10:57:12 | f(...) | main.rs:48:5:48:14 | source(...) | main.rs:57:10:57:12 | f(...) | $@ | main.rs:48:5:48:14 | source(...) | source(...) |
+| main.rs:78:10:78:10 | b | main.rs:76:13:76:22 | source(...) | main.rs:78:10:78:10 | b | $@ | main.rs:76:13:76:22 | source(...) | source(...) |
--- a/rust/ql/test/library-tests/dataflow/lambdas/main.rs
+++ b/rust/ql/test/library-tests/dataflow/lambdas/main.rs
@@ -49,12 +49,12 @@ fn get_from_source() -> i64 {
 }

 fn pass_to_sink(data: i64) {
-    sink(data); // $ MISSING: hasValueFlow=34
+    sink(data); // $ hasValueFlow=34
 }

 fn function_flow_out() {
    let f = get_from_source;
-    sink(f()); // $ MISSING: hasValueFlow=93
+    sink(f()); // $ hasValueFlow=93
 }

 fn function_flow_in() {
@@ -75,7 +75,7 @@ fn function_flows_through() {
    let f = get_arg;
    let a = source(56);
    let b = f(true, a);
-    sink(b); // $ MISSING: hasValueFlow=56
+    sink(b); // $ hasValueFlow=56
 }

 fn main() {