Rust: Lets just not model 'drop' incorrectly, for now.

2026-04-19 14:04:09 +02:00 · 2025-03-27 09:48:53 +00:00
parent 8598d619f2
commit 4e496fe7b2
4 changed files with 6 additions and 5 deletions
--- a/rust/ql/lib/codeql/rust/frameworks/stdlib/lang-core.model.yml
+++ b/rust/ql/lib/codeql/rust/frameworks/stdlib/lang-core.model.yml
@@ -30,8 +30,6 @@ extensions:
      pack: codeql/rust-all
      extensible: sourceModel
    data:
-      # Mem
-      - ["lang:core", "crate::mem::drop", "Argument[0]", "pointer-invalidate", "manual"]
      # Ptr
      - ["lang:core", "crate::ptr::drop_in_place", "Argument[0]", "pointer-invalidate", "manual"]
      - ["lang:core", "crate::ptr::dangling", "ReturnValue", "pointer-invalidate", "manual"]
--- a/rust/ql/lib/codeql/rust/security/AccessInvalidPointerExtensions.qll
+++ b/rust/ql/lib/codeql/rust/security/AccessInvalidPointerExtensions.qll
@@ -36,6 +36,11 @@ module AccessInvalidPointer {

  /**
   * A pointer invalidation from model data.
+   *
+   * Note: we don't currently support invalidation via the object itself rather than via a pointer, such as:
+   * ```
+   * drop(obj)
+   * ```
   */
  private class ModelsAsDataSource extends Source {
    ModelsAsDataSource() { sourceNode(this, "pointer-invalidate") }
--- a/rust/ql/test/query-tests/security/CWE-825/AccessInvalidPointer.expected
+++ b/rust/ql/test/query-tests/security/CWE-825/AccessInvalidPointer.expected
@@ -13,7 +13,6 @@
 | deallocation.rs:131:14:131:15 | p2 | deallocation.rs:124:21:124:42 | ...::dangling_mut | deallocation.rs:131:14:131:15 | p2 | This operation dereferences a pointer that may be $@. | deallocation.rs:124:21:124:42 | ...::dangling_mut | invalid |
 | deallocation.rs:132:14:132:15 | p3 | deallocation.rs:125:23:125:36 | ...::null | deallocation.rs:132:14:132:15 | p3 | This operation dereferences a pointer that may be $@. | deallocation.rs:125:23:125:36 | ...::null | invalid |
 | deallocation.rs:180:15:180:16 | p1 | deallocation.rs:176:3:176:25 | ...::drop_in_place | deallocation.rs:180:15:180:16 | p1 | This operation dereferences a pointer that may be $@. | deallocation.rs:176:3:176:25 | ...::drop_in_place | invalid |
-| deallocation.rs:212:10:212:17 | self.ptr | deallocation.rs:212:10:212:17 | self.ptr | deallocation.rs:212:10:212:17 | self.ptr | This operation dereferences a pointer that may be $@. | deallocation.rs:212:10:212:17 | self.ptr | invalid |
 | deallocation.rs:245:18:245:20 | ptr | deallocation.rs:239:3:239:25 | ...::drop_in_place | deallocation.rs:245:18:245:20 | ptr | This operation dereferences a pointer that may be $@. | deallocation.rs:239:3:239:25 | ...::drop_in_place | invalid |
 edges
 | deallocation.rs:20:3:20:21 | ...::dealloc | deallocation.rs:20:23:20:24 | [post] m1 | provenance | Src:MaD:3 MaD:3 |
@@ -84,7 +83,6 @@ nodes
 | deallocation.rs:176:3:176:25 | ...::drop_in_place | semmle.label | ...::drop_in_place |
 | deallocation.rs:176:27:176:28 | [post] p1 | semmle.label | [post] p1 |
 | deallocation.rs:180:15:180:16 | p1 | semmle.label | p1 |
-| deallocation.rs:212:10:212:17 | self.ptr | semmle.label | self.ptr |
 | deallocation.rs:239:3:239:25 | ...::drop_in_place | semmle.label | ...::drop_in_place |
 | deallocation.rs:239:27:239:29 | [post] ptr | semmle.label | [post] ptr |
 | deallocation.rs:245:18:245:20 | ptr | semmle.label | ptr |
--- a/rust/ql/test/query-tests/security/CWE-825/deallocation.rs
+++ b/rust/ql/test/query-tests/security/CWE-825/deallocation.rs
@@ -209,7 +209,7 @@ impl Drop for MyDropBuffer {

 		unsafe {
 			_ = *self.ptr;
-			drop(*self.ptr); // $ MISSING: Source=drop SPURIOUS: Alert[rust/access-invalid-pointer]=drop
+			drop(*self.ptr); // $ MISSING: Source=drop
 			_ = *self.ptr; // $ MISSING: Alert[rust/access-invalid-pointer]=drop
 			std::alloc::dealloc(self.ptr, layout);
 		}