Merge branch 'main' of https://github.com/github/codeql into oscarsj/merge-back-rc-3.21

2026-03-31 04:38:18 +02:00 · 2026-03-06 16:20:36 +01:00
parent 13ce515aab 84bef5d4bc
commit 3b9eba2afc
846 changed files with 87321 additions and 58588 deletions
--- a/rust/ql/lib/change-notes/2026-03-05-inline-expectation-space-after-$.md
+++ b/rust/ql/lib/change-notes/2026-03-05-inline-expectation-space-after-$.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Inline expectations test comments, which are of the form `// $ tag` or `// $ tag=value`, are now parsed more strictly and will not be recognized if there isn't a space after the `$` symbol.
--- a/rust/ql/lib/codeql/rust/internal/typeinference/AssociatedType.qll
+++ b/rust/ql/lib/codeql/rust/internal/typeinference/AssociatedType.qll
@@ -24,11 +24,14 @@ AssocType getTraitAssocType(Trait trait) { result.getTrait() = trait.getSupertra

 /** Holds if `path` is of the form `<type as trait>::name` */
 pragma[nomagic]
-predicate pathTypeAsTraitAssoc(Path path, TypeRepr typeRepr, Path traitPath, string name) {
+predicate pathTypeAsTraitAssoc(
+  Path path, TypeRepr typeRepr, PathTypeRepr traitRepr, Trait trait, string name
+) {
  exists(PathSegment segment |
    segment = path.getQualifier().getSegment() and
    typeRepr = segment.getTypeRepr() and
-    traitPath = segment.getTraitTypeRepr().getPath() and
+    traitRepr = segment.getTraitTypeRepr() and
+    trait = resolvePath(traitRepr.getPath()) and
    name = path.getText()
  )
 }
@@ -43,10 +46,10 @@ predicate tpAssociatedType(TypeParam tp, AssocType assoc, Path path) {
  resolvePath(path.getQualifier()) = tp and
  resolvePath(path) = assoc
  or
-  exists(PathTypeRepr typeRepr, Path traitPath, string name |
-    pathTypeAsTraitAssoc(path, typeRepr, traitPath, name) and
+  exists(PathTypeRepr typeRepr, TraitItemNode trait, string name |
+    pathTypeAsTraitAssoc(path, typeRepr, _, trait, name) and
    tp = resolvePath(typeRepr.getPath()) and
-    assoc = resolvePath(traitPath).(TraitItemNode).getAssocItem(name)
+    assoc = trait.getAssocItem(name)
  )
 }

--- a/rust/ql/lib/codeql/rust/internal/typeinference/TypeMention.qll
+++ b/rust/ql/lib/codeql/rust/internal/typeinference/TypeMention.qll
@@ -701,7 +701,7 @@ class PreTypeMention = PreTypeMention::TypeMention;
 * concrete type given by `tm`.
 */
 private predicate pathConcreteTypeAssocType(
-  Path path, PreTypeMention tm, Trait trait, TypeAlias alias
+  Path path, PreTypeMention tm, TraitItemNode trait, PreTypeMention tmTrait, TypeAlias alias
 ) {
  exists(Path qualifier |
    qualifier = path.getQualifier() and
@@ -709,9 +709,8 @@ private predicate pathConcreteTypeAssocType(
  |
    // path of the form `<Type as Trait>::AssocType`
    //                    ^^^ tm          ^^^^^^^^^ name
-    exists(string name, Path traitPath |
-      pathTypeAsTraitAssoc(path, tm, traitPath, name) and
-      trait = resolvePath(traitPath) and
+    exists(string name |
+      pathTypeAsTraitAssoc(path, tm, tmTrait, trait, name) and
      getTraitAssocType(trait, name) = alias
    )
    or
@@ -721,14 +720,15 @@ private predicate pathConcreteTypeAssocType(
      alias = resolvePath(path) and
      qualifier = impl.getASelfPath() and
      tm = impl.(Impl).getSelfTy() and
-      trait.(TraitItemNode).getAnAssocItem() = alias
+      trait.getAnAssocItem() = alias and
+      tmTrait = impl.getTraitPath()
    )
  )
 }

 private module PathSatisfiesConstraintInput implements SatisfiesConstraintInputSig<PreTypeMention> {
  predicate relevantConstraint(PreTypeMention tm, Type constraint) {
-    pathConcreteTypeAssocType(_, tm, constraint.(TraitType).getTrait(), _)
+    pathConcreteTypeAssocType(_, tm, constraint.(TraitType).getTrait(), _, _)
  }
 }

@@ -740,10 +740,22 @@ private module PathSatisfiesConstraint =
 * on a concrete type.
 */
 private Type getPathConcreteAssocTypeAt(Path path, TypePath typePath) {
-  exists(PreTypeMention tm, TraitItemNode t, TypeAlias alias, TypePath path0 |
-    pathConcreteTypeAssocType(path, tm, t, alias) and
-    PathSatisfiesConstraint::satisfiesConstraintType(tm, TTrait(t), path0, result) and
-    path0.isCons(TAssociatedTypeTypeParameter(t, alias), typePath)
+  exists(
+    PreTypeMention tm, ImplItemNode impl, TraitItemNode trait, TraitType t, PreTypeMention tmTrait,
+    TypeAlias alias, TypePath path0
+  |
+    pathConcreteTypeAssocType(path, tm, trait, tmTrait, alias) and
+    t = TTrait(trait) and
+    PathSatisfiesConstraint::satisfiesConstraintTypeThrough(tm, impl, t, path0, result) and
+    path0.isCons(TAssociatedTypeTypeParameter(trait, alias), typePath)
+  |
+    tmTrait.getTypeAt(TypePath::nil()) != t
+    or
+    not exists(TypePath path1, Type t1 |
+      t1 = impl.getTraitPath().(PreTypeMention).getTypeAt(path1) and
+      not t1 instanceof TypeParameter and
+      t1 != tmTrait.getTypeAt(path1)
+    )
  )
 }

--- a/rust/ql/src/queries/security/CWE-825/AccessAfterLifetime.ql
+++ b/rust/ql/src/queries/security/CWE-825/AccessAfterLifetime.ql
@@ -50,6 +50,10 @@ module AccessAfterLifetimeConfig implements DataFlow::ConfigSig {
      result = [target.getLocation(), source.getLocation()]
    )
  }
+
+  DataFlow::FlowFeature getAFeature() {
+    result instanceof DataFlow::FeatureEscapesSourceCallContextOrEqualSourceSinkCallContext
+  }
 }

 module AccessAfterLifetimeFlow = TaintTracking::Global<AccessAfterLifetimeConfig>;
@@ -64,53 +68,22 @@ predicate sinkBlock(Sink s, BlockExpr be) {
  be = s.asExpr().getEnclosingBlock()
 }

-private predicate tcStep(BlockExpr a, BlockExpr b) {
-  // propagate through function calls
-  exists(Call call |
-    a = call.getEnclosingBlock() and
-    call.getARuntimeTarget() = b.getEnclosingCallable()
-  )
-}
-
-private predicate isTcSource(BlockExpr be) { sourceBlock(_, _, be) }
-
-private predicate isTcSink(BlockExpr be) { sinkBlock(_, be) }
-
-/**
- * Holds if block `a` contains block `b`, in the sense that a stack allocated variable in
- * `a` may still be on the stack during execution of `b`. This is interprocedural,
- * but is an overapproximation that doesn't accurately track call contexts
- * (for example if `f` and `g` both call `b`, then depending on the
- * caller a variable in `f` or `g` may or may-not be on the stack during `b`).
- */
-private predicate mayEncloseOnStack(BlockExpr a, BlockExpr b) =
-  doublyBoundedFastTC(tcStep/2, isTcSource/1, isTcSink/1)(a, b)
-
-/**
- * Holds if the pair `(source, sink)`, that represents a flow from a
- * pointer or reference to a dereference, has its dereference outside the
- * lifetime of the target variable `target`.
- */
-predicate dereferenceAfterLifetime(Source source, Sink sink, Variable target) {
-  AccessAfterLifetimeFlow::flow(source, sink) and
-  sourceValueScope(source, target, _) and
-  not exists(BlockExpr beSource, BlockExpr beSink |
-    sourceBlock(source, target, beSource) and
-    sinkBlock(sink, beSink)
-  |
-    beSource = beSink
-    or
-    mayEncloseOnStack(beSource, beSink)
-  )
-}
-
 from
  AccessAfterLifetimeFlow::PathNode sourceNode, AccessAfterLifetimeFlow::PathNode sinkNode,
-  Variable target
+  Source source, Sink sink, Variable target
 where
  // flow from a pointer or reference to the dereference
  AccessAfterLifetimeFlow::flowPath(sourceNode, sinkNode) and
-  // check that the dereference is outside the lifetime of the target
-  dereferenceAfterLifetime(sourceNode.getNode(), sinkNode.getNode(), target)
+  source = sourceNode.getNode() and
+  sink = sinkNode.getNode() and
+  sourceValueScope(source, target, _) and
+  // check that the dereference is outside the lifetime of the target, when the source
+  // and the sink are in the same callable
+  // (`FeatureEscapesSourceCallContextOrEqualSourceSinkCallContext` handles the case when
+  // they are not)
+  not exists(BlockExpr be |
+    sourceBlock(source, target, be) and
+    sinkBlock(sink, be)
+  )
 select sinkNode.getNode(), sourceNode, sinkNode,
  "Access of a pointer to $@ after its lifetime has ended.", target, target.toString()
--- a/rust/ql/test/library-tests/type-inference/CONSISTENCY/TypeInferenceConsistency.expected
+++ b/rust/ql/test/library-tests/type-inference/CONSISTENCY/TypeInferenceConsistency.expected
@@ -1,2 +0,0 @@
-nonUniqueCertainType
-| associated_types.rs:232:9:234:9 | { ... } |  |
--- a/rust/ql/test/library-tests/type-inference/associated_types.rs
+++ b/rust/ql/test/library-tests/type-inference/associated_types.rs
@@ -236,8 +236,8 @@ mod concrete_type_as_generic_access_associated_type {

    pub fn test() {
        let s = S;
-        let _a = s.convert(true); // $ target=S::convert type=_a:i32 SPURIOUS: bool
-        let _b = s.convert(42); // $ target=S::convert type=_b:bool SPURIOUS: i32
+        let _a = s.convert(true); // $ target=S::convert $ MISSING: type=_a:i32
+        let _b = s.convert(42); // $ target=S::convert $ MISSING: type=_b:bool
    }
 }

--- a/rust/ql/test/library-tests/type-inference/regressions.rs
+++ b/rust/ql/test/library-tests/type-inference/regressions.rs
@@ -32,3 +32,45 @@ mod regression1 {
        opt_e.unwrap() // $ target=unwrap
    }
 }
+
+mod regression2 {
+    use std::ops::Sub;
+
+    #[derive(Copy, Clone)]
+    struct S1;
+    #[derive(Copy, Clone)]
+    struct S2;
+
+    impl Sub for S1 {
+        type Output = Self;
+
+        // S1SubS1
+        fn sub(self, _rhs: Self) -> Self::Output {
+            S1
+        }
+    }
+
+    impl Sub<S2> for S1 {
+        type Output = S2;
+
+        // S1SubS2
+        fn sub(self, _rhs: S2) -> Self::Output {
+            S2
+        }
+    }
+
+    impl Sub<&S2> for S1 {
+        type Output = <S1 as Sub<S2>>::Output;
+
+        // S1SubRefS2
+        fn sub(self, other: &S2) -> <S1 as Sub<S2>>::Output {
+            Sub::sub(self, *other) // $ target=S1SubS2 target=deref
+        }
+    }
+
+    fn foo() {
+        let s1 = S1;
+        let s2 = S2;
+        let x = s1 - &s2; // $ target=S1SubRefS2 type=x:S2
+    }
+}
--- a/rust/ql/test/library-tests/type-inference/type-inference.expected
+++ b/rust/ql/test/library-tests/type-inference/type-inference.expected
@@ -105,8 +105,6 @@ inferCertainType
 | associated_types.rs:229:23:229:27 | SelfParam |  | {EXTERNAL LOCATION} | & |
 | associated_types.rs:229:23:229:27 | SelfParam | TRef | associated_types.rs:10:1:11:9 | S |
 | associated_types.rs:229:30:229:30 | t |  | associated_types.rs:229:20:229:20 | T |
-| associated_types.rs:232:9:234:9 | { ... } |  | {EXTERNAL LOCATION} | bool |
-| associated_types.rs:232:9:234:9 | { ... } |  | {EXTERNAL LOCATION} | i32 |
 | associated_types.rs:233:24:233:24 | t |  | associated_types.rs:229:20:229:20 | T |
 | associated_types.rs:237:19:241:5 | { ... } |  | {EXTERNAL LOCATION} | () |
 | associated_types.rs:239:28:239:31 | true |  | {EXTERNAL LOCATION} | bool |
@@ -4947,6 +4945,21 @@ inferCertainType
 | regressions.rs:27:37:27:41 | vec_e |  | {EXTERNAL LOCATION} | Vec |
 | regressions.rs:27:37:27:41 | vec_e | A | {EXTERNAL LOCATION} | Global |
 | regressions.rs:28:9:30:9 | { ... } |  | {EXTERNAL LOCATION} | () |
+| regressions.rs:48:16:48:19 | SelfParam |  | regressions.rs:39:5:40:14 | S1 |
+| regressions.rs:48:22:48:25 | _rhs |  | regressions.rs:39:5:40:14 | S1 |
+| regressions.rs:48:50:50:9 | { ... } |  | regressions.rs:39:5:40:14 | S1 |
+| regressions.rs:57:16:57:19 | SelfParam |  | regressions.rs:39:5:40:14 | S1 |
+| regressions.rs:57:22:57:25 | _rhs |  | regressions.rs:41:5:42:14 | S2 |
+| regressions.rs:57:48:59:9 | { ... } |  | regressions.rs:41:5:42:14 | S2 |
+| regressions.rs:66:16:66:19 | SelfParam |  | regressions.rs:39:5:40:14 | S1 |
+| regressions.rs:66:22:66:26 | other |  | {EXTERNAL LOCATION} | & |
+| regressions.rs:66:22:66:26 | other | TRef | regressions.rs:41:5:42:14 | S2 |
+| regressions.rs:66:61:68:9 | { ... } |  | regressions.rs:41:5:42:14 | S2 |
+| regressions.rs:67:22:67:25 | self |  | regressions.rs:39:5:40:14 | S1 |
+| regressions.rs:67:29:67:33 | other |  | {EXTERNAL LOCATION} | & |
+| regressions.rs:67:29:67:33 | other | TRef | regressions.rs:41:5:42:14 | S2 |
+| regressions.rs:71:14:75:5 | { ... } |  | {EXTERNAL LOCATION} | () |
+| regressions.rs:74:22:74:24 | &s2 |  | {EXTERNAL LOCATION} | & |
 inferType
 | associated_types.rs:5:15:5:18 | SelfParam |  | associated_types.rs:1:1:2:21 | Wrapper |
 | associated_types.rs:5:15:5:18 | SelfParam | A | associated_types.rs:4:6:4:6 | A |
@@ -5114,25 +5127,13 @@ inferType
 | associated_types.rs:229:23:229:27 | SelfParam |  | {EXTERNAL LOCATION} | & |
 | associated_types.rs:229:23:229:27 | SelfParam | TRef | associated_types.rs:10:1:11:9 | S |
 | associated_types.rs:229:30:229:30 | t |  | associated_types.rs:229:20:229:20 | T |
-| associated_types.rs:232:9:234:9 | { ... } |  | {EXTERNAL LOCATION} | bool |
-| associated_types.rs:232:9:234:9 | { ... } |  | {EXTERNAL LOCATION} | i32 |
-| associated_types.rs:233:13:233:25 | ...::through(...) |  | {EXTERNAL LOCATION} | bool |
-| associated_types.rs:233:13:233:25 | ...::through(...) |  | {EXTERNAL LOCATION} | i32 |
 | associated_types.rs:233:24:233:24 | t |  | associated_types.rs:229:20:229:20 | T |
 | associated_types.rs:237:19:241:5 | { ... } |  | {EXTERNAL LOCATION} | () |
 | associated_types.rs:238:13:238:13 | s |  | associated_types.rs:10:1:11:9 | S |
 | associated_types.rs:238:17:238:17 | S |  | associated_types.rs:10:1:11:9 | S |
-| associated_types.rs:239:13:239:14 | _a |  | {EXTERNAL LOCATION} | bool |
-| associated_types.rs:239:13:239:14 | _a |  | {EXTERNAL LOCATION} | i32 |
 | associated_types.rs:239:18:239:18 | s |  | associated_types.rs:10:1:11:9 | S |
-| associated_types.rs:239:18:239:32 | s.convert(...) |  | {EXTERNAL LOCATION} | bool |
-| associated_types.rs:239:18:239:32 | s.convert(...) |  | {EXTERNAL LOCATION} | i32 |
 | associated_types.rs:239:28:239:31 | true |  | {EXTERNAL LOCATION} | bool |
-| associated_types.rs:240:13:240:14 | _b |  | {EXTERNAL LOCATION} | bool |
-| associated_types.rs:240:13:240:14 | _b |  | {EXTERNAL LOCATION} | i32 |
 | associated_types.rs:240:18:240:18 | s |  | associated_types.rs:10:1:11:9 | S |
-| associated_types.rs:240:18:240:30 | s.convert(...) |  | {EXTERNAL LOCATION} | bool |
-| associated_types.rs:240:18:240:30 | s.convert(...) |  | {EXTERNAL LOCATION} | i32 |
 | associated_types.rs:240:28:240:29 | 42 |  | {EXTERNAL LOCATION} | i32 |
 | associated_types.rs:248:30:248:34 | thing |  | associated_types.rs:248:19:248:27 | T |
 | associated_types.rs:248:65:250:5 | { ... } |  | associated_types.rs:248:19:248:27 | T::Output[GetSet] |
@@ -14789,4 +14790,32 @@ inferType
 | regressions.rs:32:9:32:13 | opt_e |  | {EXTERNAL LOCATION} | Option |
 | regressions.rs:32:9:32:13 | opt_e | T | regressions.rs:5:5:7:5 | E |
 | regressions.rs:32:9:32:22 | opt_e.unwrap() |  | regressions.rs:5:5:7:5 | E |
+| regressions.rs:48:16:48:19 | SelfParam |  | regressions.rs:39:5:40:14 | S1 |
+| regressions.rs:48:22:48:25 | _rhs |  | regressions.rs:39:5:40:14 | S1 |
+| regressions.rs:48:50:50:9 | { ... } |  | regressions.rs:39:5:40:14 | S1 |
+| regressions.rs:49:13:49:14 | S1 |  | regressions.rs:39:5:40:14 | S1 |
+| regressions.rs:57:16:57:19 | SelfParam |  | regressions.rs:39:5:40:14 | S1 |
+| regressions.rs:57:22:57:25 | _rhs |  | regressions.rs:41:5:42:14 | S2 |
+| regressions.rs:57:48:59:9 | { ... } |  | regressions.rs:41:5:42:14 | S2 |
+| regressions.rs:58:13:58:14 | S2 |  | regressions.rs:41:5:42:14 | S2 |
+| regressions.rs:66:16:66:19 | SelfParam |  | regressions.rs:39:5:40:14 | S1 |
+| regressions.rs:66:22:66:26 | other |  | {EXTERNAL LOCATION} | & |
+| regressions.rs:66:22:66:26 | other | TRef | regressions.rs:41:5:42:14 | S2 |
+| regressions.rs:66:61:68:9 | { ... } |  | regressions.rs:41:5:42:14 | S2 |
+| regressions.rs:67:13:67:34 | ...::sub(...) |  | regressions.rs:41:5:42:14 | S2 |
+| regressions.rs:67:22:67:25 | self |  | regressions.rs:39:5:40:14 | S1 |
+| regressions.rs:67:28:67:33 | * ... |  | regressions.rs:41:5:42:14 | S2 |
+| regressions.rs:67:29:67:33 | other |  | {EXTERNAL LOCATION} | & |
+| regressions.rs:67:29:67:33 | other | TRef | regressions.rs:41:5:42:14 | S2 |
+| regressions.rs:71:14:75:5 | { ... } |  | {EXTERNAL LOCATION} | () |
+| regressions.rs:72:13:72:14 | s1 |  | regressions.rs:39:5:40:14 | S1 |
+| regressions.rs:72:18:72:19 | S1 |  | regressions.rs:39:5:40:14 | S1 |
+| regressions.rs:73:13:73:14 | s2 |  | regressions.rs:41:5:42:14 | S2 |
+| regressions.rs:73:18:73:19 | S2 |  | regressions.rs:41:5:42:14 | S2 |
+| regressions.rs:74:13:74:13 | x |  | regressions.rs:41:5:42:14 | S2 |
+| regressions.rs:74:17:74:18 | s1 |  | regressions.rs:39:5:40:14 | S1 |
+| regressions.rs:74:17:74:24 | ... - ... |  | regressions.rs:41:5:42:14 | S2 |
+| regressions.rs:74:22:74:24 | &s2 |  | {EXTERNAL LOCATION} | & |
+| regressions.rs:74:22:74:24 | &s2 | TRef | regressions.rs:41:5:42:14 | S2 |
+| regressions.rs:74:23:74:24 | s2 |  | regressions.rs:41:5:42:14 | S2 |
 testFailures
--- a/rust/ql/test/query-tests/security/CWE-312/test_logging.rs
+++ b/rust/ql/test/query-tests/security/CWE-312/test_logging.rs
@@ -97,7 +97,7 @@ fn test_log(harmless: String, password: String, encrypted_password: String) {
    info!("{}", m2); // $ Alert[rust/cleartext-logging]=m2

    let m3 = format!("message = {}", password); // $ Source[rust/cleartext-logging]=m3
-    info!("{}", m3); // $  Alert[rust/cleartext-logging]=m3
+    info!("{}", m3); // $ Alert[rust/cleartext-logging]=m3

    let mut m4 = String::new();
    write!(&mut m4, "message = {}", password); // $ MISSING: Source=m4
--- a/rust/ql/test/query-tests/security/CWE-825/AccessAfterLifetime.expected
+++ b/rust/ql/test/query-tests/security/CWE-825/AccessAfterLifetime.expected
@@ -9,6 +9,7 @@
 | lifetime.rs:76:4:76:5 | p2 | lifetime.rs:27:9:27:22 | &mut my_local2 | lifetime.rs:76:4:76:5 | p2 | Access of a pointer to $@ after its lifetime has ended. | lifetime.rs:25:10:25:18 | my_local2 | my_local2 |
 | lifetime.rs:77:4:77:5 | p4 | lifetime.rs:39:9:39:26 | &raw mut my_local4 | lifetime.rs:77:4:77:5 | p4 | Access of a pointer to $@ after its lifetime has ended. | lifetime.rs:37:10:37:18 | my_local4 | my_local4 |
 | lifetime.rs:172:13:172:15 | ptr | lifetime.rs:187:12:187:21 | &my_local1 | lifetime.rs:172:13:172:15 | ptr | Access of a pointer to $@ after its lifetime has ended. | lifetime.rs:186:6:186:14 | my_local1 | my_local1 |
+| lifetime.rs:180:13:180:15 | ptr | lifetime.rs:187:12:187:21 | &my_local1 | lifetime.rs:180:13:180:15 | ptr | Access of a pointer to $@ after its lifetime has ended. | lifetime.rs:186:6:186:14 | my_local1 | my_local1 |
 | lifetime.rs:255:14:255:17 | prev | lifetime.rs:251:10:251:19 | &my_local2 | lifetime.rs:255:14:255:17 | prev | Access of a pointer to $@ after its lifetime has ended. | lifetime.rs:242:7:242:15 | my_local2 | my_local2 |
 | lifetime.rs:310:31:310:32 | e1 | lifetime.rs:272:30:272:32 | &e1 | lifetime.rs:310:31:310:32 | e1 | Access of a pointer to $@ after its lifetime has ended. | lifetime.rs:271:6:271:7 | e1 | e1 |
 | lifetime.rs:314:23:314:24 | p2 | lifetime.rs:279:28:279:30 | &v2 | lifetime.rs:314:23:314:24 | p2 | Access of a pointer to $@ after its lifetime has ended. | lifetime.rs:278:6:278:7 | v2 | v2 |
@@ -55,39 +56,23 @@ edges
 | lifetime.rs:59:11:59:36 | get_local_field_dangling(...) | lifetime.rs:59:6:59:7 | p6 | provenance |  |
 | lifetime.rs:63:3:63:4 | p7 | lifetime.rs:75:13:75:14 | p7 | provenance |  |
 | lifetime.rs:63:8:63:27 | &raw const my_local7 | lifetime.rs:63:3:63:4 | p7 | provenance |  |
-| lifetime.rs:91:17:91:30 | ...: ... | lifetime.rs:101:14:101:15 | p1 | provenance |  |
-| lifetime.rs:91:33:91:44 | ...: ... | lifetime.rs:102:14:102:15 | p2 | provenance |  |
-| lifetime.rs:91:33:91:44 | ...: ... | lifetime.rs:110:5:110:6 | p2 | provenance |  |
 | lifetime.rs:94:2:94:3 | p3 | lifetime.rs:103:14:103:15 | p3 | provenance |  |
 | lifetime.rs:94:7:94:16 | &my_local1 | lifetime.rs:94:2:94:3 | p3 | provenance |  |
-| lifetime.rs:119:15:119:24 | &my_local3 | lifetime.rs:91:17:91:30 | ...: ... | provenance |  |
-| lifetime.rs:119:27:119:44 | &mut my_local_mut4 | lifetime.rs:91:33:91:44 | ...: ... | provenance |  |
-| lifetime.rs:161:17:161:31 | ...: ... | lifetime.rs:164:13:164:15 | ptr | provenance |  |
 | lifetime.rs:169:17:169:31 | ...: ... | lifetime.rs:172:13:172:15 | ptr | provenance |  |
 | lifetime.rs:177:17:177:31 | ...: ... | lifetime.rs:180:13:180:15 | ptr | provenance |  |
-| lifetime.rs:187:6:187:8 | ptr | lifetime.rs:189:15:189:17 | ptr | provenance |  |
-| lifetime.rs:187:6:187:8 | ptr | lifetime.rs:190:15:190:17 | ptr | provenance |  |
 | lifetime.rs:187:6:187:8 | ptr | lifetime.rs:192:2:192:11 | return ptr | provenance |  |
 | lifetime.rs:187:12:187:21 | &my_local1 | lifetime.rs:187:6:187:8 | ptr | provenance |  |
-| lifetime.rs:189:15:189:17 | ptr | lifetime.rs:161:17:161:31 | ...: ... | provenance |  |
-| lifetime.rs:190:15:190:17 | ptr | lifetime.rs:177:17:177:31 | ...: ... | provenance |  |
 | lifetime.rs:192:2:192:11 | return ptr | lifetime.rs:196:12:196:36 | access_and_get_dangling(...) | provenance |  |
 | lifetime.rs:196:6:196:8 | ptr | lifetime.rs:200:15:200:17 | ptr | provenance |  |
 | lifetime.rs:196:6:196:8 | ptr | lifetime.rs:201:15:201:17 | ptr | provenance |  |
 | lifetime.rs:196:12:196:36 | access_and_get_dangling(...) | lifetime.rs:196:6:196:8 | ptr | provenance |  |
 | lifetime.rs:200:15:200:17 | ptr | lifetime.rs:169:17:169:31 | ...: ... | provenance |  |
 | lifetime.rs:201:15:201:17 | ptr | lifetime.rs:177:17:177:31 | ...: ... | provenance |  |
-| lifetime.rs:206:19:206:36 | ...: ... | lifetime.rs:216:16:216:21 | ptr_up | provenance |  |
-| lifetime.rs:208:6:208:13 | ptr_ours | lifetime.rs:211:33:211:40 | ptr_ours | provenance |  |
 | lifetime.rs:208:6:208:13 | ptr_ours | lifetime.rs:225:2:225:16 | return ptr_ours | provenance |  |
 | lifetime.rs:208:17:208:29 | &my_local_rec | lifetime.rs:208:6:208:13 | ptr_ours | provenance |  |
 | lifetime.rs:211:7:211:14 | ptr_down | lifetime.rs:218:18:218:25 | ptr_down | provenance |  |
 | lifetime.rs:211:18:211:52 | access_ptr_rec(...) | lifetime.rs:211:7:211:14 | ptr_down | provenance |  |
-| lifetime.rs:211:33:211:40 | ptr_ours | lifetime.rs:206:19:206:36 | ...: ... | provenance |  |
 | lifetime.rs:225:2:225:16 | return ptr_ours | lifetime.rs:211:18:211:52 | access_ptr_rec(...) | provenance |  |
-| lifetime.rs:230:6:230:14 | ptr_start | lifetime.rs:232:21:232:29 | ptr_start | provenance |  |
-| lifetime.rs:230:18:230:31 | &my_local_rec2 | lifetime.rs:230:6:230:14 | ptr_start | provenance |  |
-| lifetime.rs:232:21:232:29 | ptr_start | lifetime.rs:206:19:206:36 | ...: ... | provenance |  |
 | lifetime.rs:239:6:239:13 | mut prev | lifetime.rs:247:15:247:18 | prev | provenance |  |
 | lifetime.rs:239:6:239:13 | mut prev | lifetime.rs:255:14:255:17 | prev | provenance |  |
 | lifetime.rs:239:34:239:43 | &my_local1 | lifetime.rs:239:6:239:13 | mut prev | provenance |  |
@@ -215,43 +200,26 @@ nodes
 | lifetime.rs:75:13:75:14 | p7 | semmle.label | p7 |
 | lifetime.rs:76:4:76:5 | p2 | semmle.label | p2 |
 | lifetime.rs:77:4:77:5 | p4 | semmle.label | p4 |
-| lifetime.rs:91:17:91:30 | ...: ... | semmle.label | ...: ... |
-| lifetime.rs:91:33:91:44 | ...: ... | semmle.label | ...: ... |
 | lifetime.rs:94:2:94:3 | p3 | semmle.label | p3 |
 | lifetime.rs:94:7:94:16 | &my_local1 | semmle.label | &my_local1 |
-| lifetime.rs:101:14:101:15 | p1 | semmle.label | p1 |
-| lifetime.rs:102:14:102:15 | p2 | semmle.label | p2 |
 | lifetime.rs:103:14:103:15 | p3 | semmle.label | p3 |
-| lifetime.rs:110:5:110:6 | p2 | semmle.label | p2 |
-| lifetime.rs:119:15:119:24 | &my_local3 | semmle.label | &my_local3 |
-| lifetime.rs:119:27:119:44 | &mut my_local_mut4 | semmle.label | &mut my_local_mut4 |
-| lifetime.rs:161:17:161:31 | ...: ... | semmle.label | ...: ... |
-| lifetime.rs:164:13:164:15 | ptr | semmle.label | ptr |
 | lifetime.rs:169:17:169:31 | ...: ... | semmle.label | ...: ... |
 | lifetime.rs:172:13:172:15 | ptr | semmle.label | ptr |
 | lifetime.rs:177:17:177:31 | ...: ... | semmle.label | ...: ... |
 | lifetime.rs:180:13:180:15 | ptr | semmle.label | ptr |
 | lifetime.rs:187:6:187:8 | ptr | semmle.label | ptr |
 | lifetime.rs:187:12:187:21 | &my_local1 | semmle.label | &my_local1 |
-| lifetime.rs:189:15:189:17 | ptr | semmle.label | ptr |
-| lifetime.rs:190:15:190:17 | ptr | semmle.label | ptr |
 | lifetime.rs:192:2:192:11 | return ptr | semmle.label | return ptr |
 | lifetime.rs:196:6:196:8 | ptr | semmle.label | ptr |
 | lifetime.rs:196:12:196:36 | access_and_get_dangling(...) | semmle.label | access_and_get_dangling(...) |
 | lifetime.rs:200:15:200:17 | ptr | semmle.label | ptr |
 | lifetime.rs:201:15:201:17 | ptr | semmle.label | ptr |
-| lifetime.rs:206:19:206:36 | ...: ... | semmle.label | ...: ... |
 | lifetime.rs:208:6:208:13 | ptr_ours | semmle.label | ptr_ours |
 | lifetime.rs:208:17:208:29 | &my_local_rec | semmle.label | &my_local_rec |
 | lifetime.rs:211:7:211:14 | ptr_down | semmle.label | ptr_down |
 | lifetime.rs:211:18:211:52 | access_ptr_rec(...) | semmle.label | access_ptr_rec(...) |
-| lifetime.rs:211:33:211:40 | ptr_ours | semmle.label | ptr_ours |
-| lifetime.rs:216:16:216:21 | ptr_up | semmle.label | ptr_up |
 | lifetime.rs:218:18:218:25 | ptr_down | semmle.label | ptr_down |
 | lifetime.rs:225:2:225:16 | return ptr_ours | semmle.label | return ptr_ours |
-| lifetime.rs:230:6:230:14 | ptr_start | semmle.label | ptr_start |
-| lifetime.rs:230:18:230:31 | &my_local_rec2 | semmle.label | &my_local_rec2 |
-| lifetime.rs:232:21:232:29 | ptr_start | semmle.label | ptr_start |
 | lifetime.rs:239:6:239:13 | mut prev | semmle.label | mut prev |
 | lifetime.rs:239:34:239:43 | &my_local1 | semmle.label | &my_local1 |
 | lifetime.rs:247:15:247:18 | prev | semmle.label | prev |
--- a/rust/ql/test/query-tests/security/CWE-825/lifetime.rs
+++ b/rust/ql/test/query-tests/security/CWE-825/lifetime.rs
@@ -177,7 +177,7 @@ fn access_ptr_2(ptr: *const i64) {
 fn access_ptr_3(ptr: *const i64) {
 	// called from contexts with `ptr` safe and dangling
 	unsafe {
-		let v3 = *ptr; // $ MISSING: Alert
+		let v3 = *ptr; // $ Alert[rust/access-after-lifetime-ended]=local1
 		println!("	v3 = {v3} (!)"); // corrupt in practice (in one context)
 	}
 }