Rust: Cache defaultAdditionalTaintStep

2026-04-20 06:24:03 +02:00 · 2024-12-05 15:18:25 +01:00
parent 7eb3b40977
commit ed4819aeab
4 changed files with 37 additions and 6 deletions
--- a/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll
+++ b/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll
@@ -1101,9 +1101,11 @@ import MakeImpl<Location, RustDataFlow>
 /** A collection of cached types and predicates to be evaluated in the same stage. */
 cached
 private module Cached {
+  private import codeql.rust.internal.CachedStages
+
  cached
  newtype TNode =
-    TExprNode(ExprCfgNode n) or
+    TExprNode(ExprCfgNode n) { Stages::DataFlowStage::ref() } or
    TSourceParameterNode(ParamBaseCfgNode p) or
    TPatNode(PatCfgNode p) or
    TExprPostUpdateNode(ExprCfgNode e) {
--- a/rust/ql/lib/codeql/rust/dataflow/internal/TaintTrackingImpl.qll
+++ b/rust/ql/lib/codeql/rust/dataflow/internal/TaintTrackingImpl.qll
@@ -4,6 +4,7 @@ private import codeql.rust.controlflow.CfgNodes
 private import codeql.rust.dataflow.FlowSummary
 private import DataFlowImpl
 private import FlowSummaryImpl as FlowSummaryImpl
+private import codeql.rust.internal.CachedStages

 module RustTaintTracking implements InputSig<Location, RustDataFlow> {
  predicate defaultTaintSanitizer(Node::Node node) { none() }
@@ -12,7 +13,9 @@ module RustTaintTracking implements InputSig<Location, RustDataFlow> {
   * Holds if the additional step from `pred` to `succ` should be included in all
   * global taint flow configurations.
   */
+  cached
  predicate defaultAdditionalTaintStep(Node::Node pred, Node::Node succ, string model) {
+    Stages::DataFlowStage::ref() and
    model = "" and
    (
      exists(BinaryExprCfgNode binary |
--- a/rust/ql/lib/codeql/rust/elements/internal/ArrayExprImpl.qll
+++ b/rust/ql/lib/codeql/rust/elements/internal/ArrayExprImpl.qll
@@ -22,7 +22,7 @@ module Impl {
   * ```
   */
  class ArrayExpr extends Generated::ArrayExpr {
-    cached
+    pragma[nomagic]
    private Raw::ArrayExprInternal getUnderlyingEntity() {
      this = Synth::TArrayListExpr(result) or this = Synth::TArrayRepeatExpr(result)
    }
--- a/rust/ql/lib/codeql/rust/internal/CachedStages.qll
+++ b/rust/ql/lib/codeql/rust/internal/CachedStages.qll
@@ -35,10 +35,6 @@ module Stages {
   */
  cached
  module AstStage {
-    private import codeql.rust.controlflow.internal.Splitting
-    private import codeql.rust.controlflow.internal.SuccessorType
-    private import codeql.rust.controlflow.internal.ControlFlowGraphImpl
-
    /**
     * Always holds.
     * Ensures that a predicate is evaluated as part of the AST stage.
@@ -98,4 +94,34 @@ module Stages {
      exists(CallExprCfgNode n | exists(n.getFunction()))
    }
  }
+
+  /**
+   * The data flow stage.
+   */
+  cached
+  module DataFlowStage {
+    private import codeql.rust.dataflow.internal.DataFlowImpl
+    private import codeql.rust.dataflow.internal.TaintTrackingImpl
+
+    /**
+     * Always holds.
+     * Ensures that a predicate is evaluated as part of the data flow stage.
+     */
+    cached
+    predicate ref() { 1 = 1 }
+
+    /**
+     * DO NOT USE!
+     *
+     * Contains references to each predicate that use the above `ref` predicate.
+     */
+    cached
+    predicate backref() {
+      1 = 1
+      or
+      exists(Node n)
+      or
+      RustTaintTracking::defaultAdditionalTaintStep(_, _, _)
+    }
+  }
 }