wip2

Author: hvitved

rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll

@@ -57,8 +57,8 @@ final class DataFlowCallable extends TDataFlowCallable {
 }
 
 final class DataFlowCall extends TDataFlowCall {
-  /** Gets the underlying call in the CFG, if any. */
-  Call asCall() { this = TCall(result) }
+  /** Gets the underlying function call, if any. */
+  FunctionCall asFunctionCall() { this = TFunctionCall(result) }
 
   predicate isSummaryCall(
     FlowSummaryImpl::Public::SummarizedCallable c, FlowSummaryImpl::Private::SummaryNode receiver
@@ -67,13 +67,13 @@ final class DataFlowCall extends TDataFlowCall {
   }
 
   DataFlowCallable getEnclosingCallable() {
-    result.asCfgScope() = this.asCall().getEnclosingCfgScope()
+    result.asCfgScope() = this.asFunctionCall().getEnclosingCfgScope()
     or
     this.isSummaryCall(result.asSummarizedCallable(), _)
   }
 
   string toString() {
-    result = this.asCall().toString()
+    result = this.asFunctionCall().toString()
     or
     exists(
       FlowSummaryImpl::Public::SummarizedCallable c, FlowSummaryImpl::Private::SummaryNode receiver
@@ -83,7 +83,7 @@ final class DataFlowCall extends TDataFlowCall {
     )
   }
 
-  Location getLocation() { result = this.asCall().getLocation() }
+  Location getLocation() { result = this.asFunctionCall().getLocation() }
 }
 
 /**
@@ -141,13 +141,8 @@ final class ArgumentPosition extends ParameterPosition {
 
 /**
  * Holds if `arg` is an argument of `call` at the position `pos`.
- *
- * Note that this does not hold for the receiever expression of a method call
- * as the synthetic `ReceiverNode` is the argument for the `self` parameter.
  */
-predicate isArgumentForCall(Expr arg, Call call, ArgumentPosition pos) {
-  // TODO: Handle index expressions as calls in data flow.
-  not call instanceof IndexExpr and
+predicate isArgumentForCall(Expr arg, FunctionCall call, ArgumentPosition pos) {
   arg = pos.getArgument(call)
 }
 
@@ -408,7 +403,7 @@ module RustDataFlow implements InputSig<Location> {
 
   /** Gets a viable implementation of the target of the given `Call`. */
   DataFlowCallable viableCallable(DataFlowCall call) {
-    exists(Call c | c = call.asCall() |
+    exists(FunctionCall c | c = call.asFunctionCall() |
       result.asCfgScope() = c.getARuntimeTarget()
       or
       exists(SummarizedCallable sc, Function staticTarget |
@@ -831,11 +826,7 @@ module RustDataFlow implements InputSig<Location> {
    */
   predicate lambdaCall(DataFlowCall call, LambdaCallKind kind, Node receiver) {
     (
-      receiver.asExpr() = call.asCall().(CallExpr).getFunction() and
-      // All calls to complex expressions and local variable accesses are lambda call.
-      exists(Expr f | f = receiver.asExpr() |
-        f instanceof PathExpr implies f = any(Variable v).getAnAccess()
-      )
+      receiver.asExpr() = call.asFunctionCall().(ClosureCall).getFunction()
       or
       call.isSummaryCall(_, receiver.(FlowSummaryNode).getSummaryNode())
     ) and
@@ -997,11 +988,9 @@ private module Cached {
 
   cached
   newtype TDataFlowCall =
-    TCall(Call call) {
+    TFunctionCall(FunctionCall call) {
       Stages::DataFlowStage::ref() and
-      call.hasEnclosingCfgScope() and
-      // TODO: Handle index expressions as calls in data flow.
-      not call instanceof IndexExpr
+      call.hasEnclosingCfgScope()
     } or
     TSummaryCall(
       FlowSummaryImpl::Public::SummarizedCallable c, FlowSummaryImpl::Private::SummaryNode receiver

rust/ql/lib/codeql/rust/dataflow/internal/FlowSummaryImpl.qll

@@ -22,7 +22,7 @@ module Input implements InputSig<Location, RustDataFlow> {
 
     /** Holds if the associated call resolves to `path`. */
     final predicate callResolvesTo(string path) {
-      path = this.getCall().getStaticTarget().(Addressable).getCanonicalPath()
+      path = this.getCall().getStaticTarget().getCanonicalPath()
     }
   }
 
@@ -128,7 +128,9 @@ module Input implements InputSig<Location, RustDataFlow> {
 private import Make<Location, RustDataFlow, Input> as Impl
 
 private module StepsInput implements Impl::Private::StepsInputSig {
-  DataFlowCall getACall(Public::SummarizedCallable sc) { result.asCall().getStaticTarget() = sc }
+  DataFlowCall getACall(Public::SummarizedCallable sc) {
+    result.asFunctionCall().getStaticTarget() = sc
+  }
 
   /** Gets the argument of `source` described by `sc`, if any. */
   private Expr getSourceNodeArgument(Input::SourceBase source, Impl::Private::SummaryComponent sc) {

rust/ql/lib/codeql/rust/dataflow/internal/Node.qll

@@ -224,7 +224,7 @@ abstract class ArgumentNode extends Node {
 }
 
 final class ExprArgumentNode extends ArgumentNode, ExprNode {
-  private Call call_;
+  private FunctionCall call_;
   private RustDataFlow::ArgumentPosition pos_;
 
   ExprArgumentNode() {
@@ -234,7 +234,7 @@ final class ExprArgumentNode extends ArgumentNode, ExprNode {
   }
 
   override predicate isArgumentOf(DataFlowCall call, RustDataFlow::ArgumentPosition pos) {
-    call.asCall() = call_ and pos = pos_
+    call.asFunctionCall() = call_ and pos = pos_
   }
 }
 
@@ -268,7 +268,7 @@ final class DerefBorrowArgNode extends DerefBorrowNode, ArgumentNode {
   private DataFlowCall call_;
   private RustDataFlow::ArgumentPosition pos_;
 
-  DerefBorrowArgNode() { isArgumentForCall(n, call_.asCall(), pos_) }
+  DerefBorrowArgNode() { isArgumentForCall(n, call_.asFunctionCall(), pos_) }
 
   override predicate isArgumentOf(DataFlowCall call, RustDataFlow::ArgumentPosition pos) {
     call = call_ and pos = pos_
@@ -298,7 +298,7 @@ final class ClosureArgumentNode extends ArgumentNode, ExprNode {
   ClosureArgumentNode() { lambdaCallExpr(call_, _, this.asExpr()) }
 
   override predicate isArgumentOf(DataFlowCall call, RustDataFlow::ArgumentPosition pos) {
-    call.asCall() = call_ and pos.isClosureSelf()
+    call.asFunctionCall() = call_ and pos.isClosureSelf()
   }
 }
 
@@ -346,11 +346,11 @@ abstract class OutNode extends Node {
 }
 
 final private class ExprOutNode extends ExprNode, OutNode {
-  ExprOutNode() { this.asExpr() instanceof Call }
+  ExprOutNode() { this.asExpr() instanceof FunctionCall }
 
   /** Gets the underlying call CFG node that includes this out node. */
   override DataFlowCall getCall(ReturnKind kind) {
-    result.asCall() = n and
+    result.asFunctionCall() = n and
     kind = TNormalReturnKind()
   }
 }
@@ -482,10 +482,8 @@ newtype TNode =
       or
       e =
         [
-          any(IndexExpr i).getBase(), // todo: remove once `IndexExpr`s are treated as calls in data flow
           any(FieldExpr access).getContainer(), //
           any(TryExpr try).getExpr(), //
-          any(PrefixExpr pe | pe.getOperatorName() = "*").getExpr(), //
           any(AwaitExpr a).getExpr(), //
           getPostUpdateReverseStep(any(PostUpdateNode n).getPreUpdateNode().asExpr(), _)
         ]

rust/ql/lib/codeql/rust/elements/Call.qll

@@ -7,22 +7,35 @@ private import internal.CallImpl
 
 final class Call = Impl::Call;
 
+private predicate isClosureCallExpr(CallExpr call) {
+  exists(Expr receiver | receiver = call.getFunction() |
+    // All calls to complex expressions and local variable accesses are lambda calls
+    receiver instanceof PathExpr implies receiver = any(Variable v).getAnAccess()
+  )
+}
+
+private predicate isGuaranteedMethodCall(Call call) {
+  // even if we cannot resolve the target, we know that the following calls always
+  // target functions
+  call instanceof MethodCallExpr
+  or
+  call.(Operation).isOverloaded(_, _, _)
+  or
+  call instanceof IndexExpr
+}
+
 /**
- * A call expression that targets a function.
+ * A call expression that targets a function or a closure.
  *
  * For example, call expressions like `Some(42)` and `x && y` are _not_ function calls.
  */
 final class FunctionCall extends Call {
   FunctionCall() {
     this.getStaticTarget() instanceof Function
     or
-    // even if we cannot resolve the target, we know that the following calls always
-    // target functions
-    this instanceof MethodCallExpr
-    or
-    this.(Operation).isOverloaded(_, _, _)
+    isClosureCallExpr(this)
     or
-    this instanceof IndexExpr
+    isGuaranteedMethodCall(this)
   }
 
   /** Gets the static target of this function call, if any. */
@@ -34,28 +47,20 @@ final class FunctionCall extends Call {
  */
 final class MethodCall extends FunctionCall {
   MethodCall() {
-    this.getStaticTarget().(Function).hasSelfParam()
+    this.getStaticTarget() instanceof Method
     or
-    // even if we cannot resolve the target, we know that the following calls always
-    // target methods
-    this instanceof MethodCallExpr
-    or
-    this.(Operation).isOverloaded(_, _, _)
-    or
-    this instanceof IndexExpr
+    isGuaranteedMethodCall(this)
   }
+
+  /** Gets the static target of this method call, if any. */
+  Method getStaticTarget() { result = super.getStaticTarget() }
 }
 
 /**
  * A call expression that targets a closure.
  *
  * For closure calls, the static target never exists.
  */
-final class ClosureCall extends CallExpr {
-  ClosureCall() {
-    exists(Expr receiver | receiver = this.getFunction() |
-      // All calls to complex expressions and local variable accesses are lambda calls
-      receiver instanceof PathExpr implies receiver = any(Variable v).getAnAccess()
-    )
-  }
+final class ClosureCall extends FunctionCall, CallExpr {
+  ClosureCall() { isClosureCallExpr(this) }
 }

rust/ql/lib/codeql/rust/elements/Method.qll

@@ -0,0 +1,22 @@
+/**
+ * This module provides the public class `Method`.
+ */
+
+private import rust
+
+/**
+ * A method declaration. For example
+ * ```rust
+ * fn foo(self, x: u32) -> u64 { (x + 1).into() }
+ * ```
+ *
+ * A method declaration within a trait might not have a body:
+ * ```rust
+ * trait Trait {
+ *     fn bar(self);
+ * }
+ * ```
+ */
+final class Method extends Function {
+  Method() { this.hasSelfParam() }
+}

rust/ql/lib/codeql/rust/internal/TypeInference.qll

@@ -230,11 +230,6 @@ module Consistency {
   }
 }
 
-/** A method, that is, a function with a `self` parameter. */
-private class Method extends Function {
-  Method() { this.hasSelfParam() }
-}
-
 /** A function without a `self` parameter. */
 private class NonMethodFunction extends Function {
   NonMethodFunction() { not this.hasSelfParam() }

rust/ql/lib/rust.qll

@@ -19,3 +19,4 @@ import codeql.rust.elements.NamedFormatArgument
 import codeql.rust.elements.PositionalFormatArgument
 import codeql.rust.elements.RangeExprExt
 import codeql.rust.elements.Call
+import codeql.rust.elements.Method

rust/ql/test/library-tests/dataflow/local/DataFlowStep.expected

@@ -38,7 +38,6 @@ localStep
 | main.rs:30:12:30:12 | x | main.rs:30:12:30:12 | [SSA] x |
 | main.rs:30:12:30:12 | x | main.rs:30:12:30:12 | x |
 | main.rs:30:16:30:16 | s | main.rs:30:12:30:12 | x |
-| main.rs:31:12:34:9 | [post] { ... } | main.rs:33:13:33:16 | [post] true |
 | main.rs:32:18:32:18 | [post] x | main.rs:36:14:36:14 | x |
 | main.rs:32:18:32:18 | x | main.rs:36:14:36:14 | x |
 | main.rs:33:13:33:16 | true | main.rs:31:12:34:9 | { ... } |
@@ -111,7 +110,6 @@ localStep
 | main.rs:76:13:76:21 | source(...) | main.rs:76:9:76:9 | k |
 | main.rs:77:5:77:5 | [SSA] j | main.rs:78:10:78:10 | j |
 | main.rs:77:5:77:5 | j | main.rs:77:5:77:5 | [SSA] j |
-| main.rs:77:9:77:9 | [post] k | main.rs:79:10:79:10 | k |
 | main.rs:77:9:77:9 | k | main.rs:77:5:77:5 | j |
 | main.rs:77:9:77:9 | k | main.rs:79:10:79:10 | k |
 | main.rs:81:9:81:13 | mut l | main.rs:81:13:81:13 | l |
@@ -332,7 +330,6 @@ localStep
 | main.rs:267:17:267:17 | n | main.rs:267:17:267:17 | [SSA] n |
 | main.rs:267:17:267:17 | n | main.rs:267:17:267:17 | n |
 | main.rs:267:22:267:23 | s1 | main.rs:267:12:267:18 | Some(...) |
-| main.rs:268:12:271:9 | [post] { ... } | main.rs:270:13:270:16 | [post] true |
 | main.rs:269:18:269:18 | [post] n | main.rs:273:14:273:14 | n |
 | main.rs:269:18:269:18 | n | main.rs:273:14:273:14 | n |
 | main.rs:270:13:270:16 | true | main.rs:268:12:271:9 | { ... } |
@@ -950,7 +947,6 @@ readStep
 | main.rs:546:11:546:39 | [post] ... .unwrap() [borrowed] | file://:0:0:0:0 | &ref | main.rs:546:11:546:39 | [post] ... .unwrap() |
 | main.rs:548:9:548:14 | &mut ... | file://:0:0:0:0 | &ref | main.rs:548:14:548:14 | v |
 | main.rs:548:19:548:35 | vs_mut.iter_mut() | file://:0:0:0:0 | element | main.rs:548:9:548:14 | &mut ... |
-| main.rs:560:14:560:15 | [post] &b | file://:0:0:0:0 | &ref | main.rs:560:15:560:15 | [post] b |
 | main.rs:562:11:562:15 | [post] c_ref [borrowed] | file://:0:0:0:0 | &ref | main.rs:562:11:562:15 | [post] c_ref |
 | main.rs:562:11:562:15 | c_ref | file://:0:0:0:0 | &ref | main.rs:562:10:562:15 | * ... |
 storeStep

rust/ql/test/library-tests/variables/Ssa.expected

@@ -152,6 +152,7 @@ definition
 | main.rs:577:13:577:13 | y | main.rs:577:13:577:13 | y |
 | main.rs:580:13:580:20 | closure2 | main.rs:580:13:580:20 | closure2 |
 | main.rs:581:9:581:9 | y | main.rs:577:13:577:13 | y |
+| main.rs:583:5:583:14 | <captured exit> y | main.rs:577:13:577:13 | y |
 | main.rs:586:13:586:13 | z | main.rs:586:13:586:13 | z |
 | main.rs:589:13:589:20 | closure3 | main.rs:589:13:589:20 | closure3 |
 | main.rs:589:24:591:5 | <captured entry> z | main.rs:586:13:586:13 | z |
@@ -169,6 +170,7 @@ definition
 | main.rs:625:9:625:9 | x | main.rs:625:9:625:9 | x |
 | main.rs:648:20:648:23 | self | main.rs:648:20:648:23 | self |
 | main.rs:652:11:652:14 | self | main.rs:652:11:652:14 | self |
+| main.rs:656:23:656:26 | self | main.rs:656:23:656:26 | self |
 | main.rs:657:17:657:17 | f | main.rs:657:17:657:17 | f |
 | main.rs:657:21:660:9 | <captured entry> self | main.rs:656:23:656:26 | self |
 | main.rs:657:22:657:22 | n | main.rs:657:22:657:22 | n |
@@ -193,6 +195,7 @@ definition
 | main.rs:746:20:746:20 | b | main.rs:746:20:746:20 | b |
 | main.rs:748:17:750:9 | SSA phi(x) | main.rs:745:13:745:13 | x |
 | main.rs:749:13:749:13 | x | main.rs:745:13:745:13 | x |
+| main.rs:752:5:752:13 | <captured exit> x | main.rs:745:13:745:13 | x |
 read
 | main.rs:5:14:5:14 | s | main.rs:5:14:5:14 | s | main.rs:7:20:7:20 | s |
 | main.rs:10:14:10:14 | i | main.rs:10:14:10:14 | i | main.rs:12:20:12:20 | i |
@@ -352,8 +355,8 @@ read
 | main.rs:568:13:568:13 | x | main.rs:568:13:568:13 | x | main.rs:575:15:575:15 | x |
 | main.rs:571:9:571:16 | closure1 | main.rs:571:9:571:16 | closure1 | main.rs:574:5:574:12 | closure1 |
 | main.rs:571:20:573:5 | <captured entry> x | main.rs:568:13:568:13 | x | main.rs:572:19:572:19 | x |
-| main.rs:577:13:577:13 | y | main.rs:577:13:577:13 | y | main.rs:584:15:584:15 | y |
 | main.rs:580:13:580:20 | closure2 | main.rs:580:13:580:20 | closure2 | main.rs:583:5:583:12 | closure2 |
+| main.rs:583:5:583:14 | <captured exit> y | main.rs:577:13:577:13 | y | main.rs:584:15:584:15 | y |
 | main.rs:586:13:586:13 | z | main.rs:586:13:586:13 | z | main.rs:593:15:593:15 | z |
 | main.rs:589:13:589:20 | closure3 | main.rs:589:13:589:20 | closure3 | main.rs:592:5:592:12 | closure3 |
 | main.rs:589:24:591:5 | <captured entry> z | main.rs:586:13:586:13 | z | main.rs:590:9:590:9 | z |
@@ -398,9 +401,9 @@ read
 | main.rs:729:9:729:20 | var_in_macro | main.rs:729:9:729:20 | var_in_macro | main.rs:735:15:735:26 | var_in_macro |
 | main.rs:734:15:734:28 | var_in_macro | main.rs:734:15:734:28 | var_in_macro | main.rs:734:30:734:41 | var_in_macro |
 | main.rs:740:5:740:5 | x | main.rs:739:9:739:9 | x | main.rs:741:15:741:15 | x |
-| main.rs:745:13:745:13 | x | main.rs:745:13:745:13 | x | main.rs:753:15:753:15 | x |
 | main.rs:746:13:746:15 | cap | main.rs:746:13:746:15 | cap | main.rs:752:5:752:7 | cap |
 | main.rs:746:20:746:20 | b | main.rs:746:20:746:20 | b | main.rs:748:20:748:20 | b |
+| main.rs:752:5:752:13 | <captured exit> x | main.rs:745:13:745:13 | x | main.rs:753:15:753:15 | x |
 firstRead
 | main.rs:5:14:5:14 | s | main.rs:5:14:5:14 | s | main.rs:7:20:7:20 | s |
 | main.rs:10:14:10:14 | i | main.rs:10:14:10:14 | i | main.rs:12:20:12:20 | i |
@@ -528,8 +531,8 @@ firstRead
 | main.rs:568:13:568:13 | x | main.rs:568:13:568:13 | x | main.rs:575:15:575:15 | x |
 | main.rs:571:9:571:16 | closure1 | main.rs:571:9:571:16 | closure1 | main.rs:574:5:574:12 | closure1 |
 | main.rs:571:20:573:5 | <captured entry> x | main.rs:568:13:568:13 | x | main.rs:572:19:572:19 | x |
-| main.rs:577:13:577:13 | y | main.rs:577:13:577:13 | y | main.rs:584:15:584:15 | y |
 | main.rs:580:13:580:20 | closure2 | main.rs:580:13:580:20 | closure2 | main.rs:583:5:583:12 | closure2 |
+| main.rs:583:5:583:14 | <captured exit> y | main.rs:577:13:577:13 | y | main.rs:584:15:584:15 | y |
 | main.rs:586:13:586:13 | z | main.rs:586:13:586:13 | z | main.rs:593:15:593:15 | z |
 | main.rs:589:13:589:20 | closure3 | main.rs:589:13:589:20 | closure3 | main.rs:592:5:592:12 | closure3 |
 | main.rs:589:24:591:5 | <captured entry> z | main.rs:586:13:586:13 | z | main.rs:590:9:590:9 | z |
@@ -564,9 +567,9 @@ firstRead
 | main.rs:729:9:729:20 | var_in_macro | main.rs:729:9:729:20 | var_in_macro | main.rs:735:15:735:26 | var_in_macro |
 | main.rs:734:15:734:28 | var_in_macro | main.rs:734:15:734:28 | var_in_macro | main.rs:734:30:734:41 | var_in_macro |
 | main.rs:740:5:740:5 | x | main.rs:739:9:739:9 | x | main.rs:741:15:741:15 | x |
-| main.rs:745:13:745:13 | x | main.rs:745:13:745:13 | x | main.rs:753:15:753:15 | x |
 | main.rs:746:13:746:15 | cap | main.rs:746:13:746:15 | cap | main.rs:752:5:752:7 | cap |
 | main.rs:746:20:746:20 | b | main.rs:746:20:746:20 | b | main.rs:748:20:748:20 | b |
+| main.rs:752:5:752:13 | <captured exit> x | main.rs:745:13:745:13 | x | main.rs:753:15:753:15 | x |
 adjacentReads
 | main.rs:27:5:27:6 | x2 | main.rs:25:13:25:14 | x2 | main.rs:28:15:28:16 | x2 | main.rs:29:10:29:11 | x2 |
 | main.rs:41:9:41:10 | x3 | main.rs:41:9:41:10 | x3 | main.rs:42:15:42:16 | x3 | main.rs:44:9:44:10 | x3 |