Rust: Define neutralElement in the shared data flow input.

2026-03-31 04:38:18 +02:00 · 2026-02-23 19:18:07 +00:00
parent a5aeadd31d
commit 6b7f339287
2 changed files with 15 additions and 7 deletions
--- a/rust/ql/lib/codeql/rust/dataflow/internal/FlowSummaryImpl.qll
+++ b/rust/ql/lib/codeql/rust/dataflow/internal/FlowSummaryImpl.qll
@@ -9,6 +9,7 @@ private import codeql.rust.dataflow.internal.DataFlowImpl
 private import codeql.rust.internal.PathResolution
 private import codeql.rust.dataflow.FlowSummary
 private import codeql.rust.dataflow.Ssa
+private import codeql.rust.dataflow.internal.ModelsAsData
 private import Content

 predicate encodeContentTupleField(TupleFieldContent c, string arg) {
@@ -46,6 +47,16 @@ module Input implements InputSig<Location, RustDataFlow> {

  abstract class SinkBase extends SourceSinkBase { }

+  predicate neutralElement(
+    Input::SummarizedCallableBase c, string kind, string provenance, boolean isExact
+  ) {
+    exists(string path |
+      neutralModel(path, kind, provenance, _) and
+      c.getCanonicalPath() = path and
+      isExact = true
+    )
+  }
+
  private class CallExprFunction extends SourceBase, SinkBase {
    private CallExpr call;

--- a/rust/ql/lib/codeql/rust/dataflow/internal/ModelsAsData.qll
+++ b/rust/ql/lib/codeql/rust/dataflow/internal/ModelsAsData.qll
@@ -140,19 +140,14 @@ private class SummarizedCallableFromModel extends SummarizedCallable::Range {
    |
      this = f and
      isExact_ = true and
-      p_ = p and
-      // Do not apply generated models where there is a neutral model
-      not (
-        p_.isGenerated() and
-        neutralModel(path, "summary", _, _)
-      )
+      p_ = p
      or
      this.implements(f) and
      isExact_ = false and
      // making inherited models generated means that source code definitions and
      // exact generated models take precedence
      p_ = "hq-generated" and
-      // Do not apply inherited models where there is a neutral model
+      // Do not apply inherited models (which are considered generated) where there is a neutral model
      not neutralModel(path, "summary", _, _)
    )
  }
@@ -183,6 +178,7 @@ private class FlowSourceFromModel extends FlowSource::Range {
      model = "MaD:" + madId.toString()
    ) and
    // Only apply generated models when no neutral model exists
+    // (the shared code only applies neutral models to summaries at present)
    not (
      provenance.isGenerated() and
      neutralModel(path, "source", _, _)
@@ -204,6 +200,7 @@ private class FlowSinkFromModel extends FlowSink::Range {
      model = "MaD:" + madId.toString()
    ) and
    // Only apply generated models when no neutral model exists
+    // (the shared code only applies neutral models to summaries at present)
    not (
      provenance.isGenerated() and
      neutralModel(path, "sink", _, _)