wip2

Author: hvitved

rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll

@@ -57,8 +57,8 @@ final class DataFlowCallable extends TDataFlowCallable {
 }
 
 final class DataFlowCall extends TDataFlowCall {
-  /** Gets the underlying call in the CFG, if any. */
-  Call asCall() { this = TCall(result) }
+  /** Gets the underlying function call, if any. */
+  FunctionCall asFunctionCall() { this = TFunctionCall(result) }
 
   predicate isSummaryCall(
     FlowSummaryImpl::Public::SummarizedCallable c, FlowSummaryImpl::Private::SummaryNode receiver
@@ -67,13 +67,13 @@ final class DataFlowCall extends TDataFlowCall {
   }
 
   DataFlowCallable getEnclosingCallable() {
-    result.asCfgScope() = this.asCall().getEnclosingCfgScope()
+    result.asCfgScope() = this.asFunctionCall().getEnclosingCfgScope()
     or
     this.isSummaryCall(result.asSummarizedCallable(), _)
   }
 
   string toString() {
-    result = this.asCall().toString()
+    result = this.asFunctionCall().toString()
     or
     exists(
       FlowSummaryImpl::Public::SummarizedCallable c, FlowSummaryImpl::Private::SummaryNode receiver
@@ -83,7 +83,7 @@ final class DataFlowCall extends TDataFlowCall {
     )
   }
 
-  Location getLocation() { result = this.asCall().getLocation() }
+  Location getLocation() { result = this.asFunctionCall().getLocation() }
 }
 
 /**
@@ -141,13 +141,8 @@ final class ArgumentPosition extends ParameterPosition {
 
 /**
  * Holds if `arg` is an argument of `call` at the position `pos`.
- *
- * Note that this does not hold for the receiever expression of a method call
- * as the synthetic `ReceiverNode` is the argument for the `self` parameter.
  */
-predicate isArgumentForCall(Expr arg, Call call, ArgumentPosition pos) {
-  // TODO: Handle index expressions as calls in data flow.
-  not call instanceof IndexExpr and
+predicate isArgumentForCall(Expr arg, FunctionCall call, ArgumentPosition pos) {
   arg = pos.getArgument(call)
 }
 
@@ -408,7 +403,7 @@ module RustDataFlow implements InputSig<Location> {
 
   /** Gets a viable implementation of the target of the given `Call`. */
   DataFlowCallable viableCallable(DataFlowCall call) {
-    exists(Call c | c = call.asCall() |
+    exists(FunctionCall c | c = call.asFunctionCall() |
       result.asCfgScope() = c.getARuntimeTarget()
       or
       exists(SummarizedCallable sc, Function staticTarget |
@@ -831,11 +826,7 @@ module RustDataFlow implements InputSig<Location> {
    */
   predicate lambdaCall(DataFlowCall call, LambdaCallKind kind, Node receiver) {
     (
-      receiver.asExpr() = call.asCall().(CallExpr).getFunction() and
-      // All calls to complex expressions and local variable accesses are lambda call.
-      exists(Expr f | f = receiver.asExpr() |
-        f instanceof PathExpr implies f = any(Variable v).getAnAccess()
-      )
+      receiver.asExpr() = call.asFunctionCall().(ClosureCall).getFunction()
       or
       call.isSummaryCall(_, receiver.(FlowSummaryNode).getSummaryNode())
     ) and
@@ -997,11 +988,9 @@ private module Cached {
 
   cached
   newtype TDataFlowCall =
-    TCall(Call call) {
+    TFunctionCall(FunctionCall call) {
       Stages::DataFlowStage::ref() and
-      call.hasEnclosingCfgScope() and
-      // TODO: Handle index expressions as calls in data flow.
-      not call instanceof IndexExpr
+      call.hasEnclosingCfgScope()
     } or
     TSummaryCall(
       FlowSummaryImpl::Public::SummarizedCallable c, FlowSummaryImpl::Private::SummaryNode receiver

rust/ql/lib/codeql/rust/dataflow/internal/FlowSummaryImpl.qll

@@ -22,7 +22,7 @@ module Input implements InputSig<Location, RustDataFlow> {
 
     /** Holds if the associated call resolves to `path`. */
     final predicate callResolvesTo(string path) {
-      path = this.getCall().getStaticTarget().(Addressable).getCanonicalPath()
+      path = this.getCall().getStaticTarget().getCanonicalPath()
     }
   }
 
@@ -128,7 +128,9 @@ module Input implements InputSig<Location, RustDataFlow> {
 private import Make<Location, RustDataFlow, Input> as Impl
 
 private module StepsInput implements Impl::Private::StepsInputSig {
-  DataFlowCall getACall(Public::SummarizedCallable sc) { result.asCall().getStaticTarget() = sc }
+  DataFlowCall getACall(Public::SummarizedCallable sc) {
+    result.asFunctionCall().getStaticTarget() = sc
+  }
 
   /** Gets the argument of `source` described by `sc`, if any. */
   private Expr getSourceNodeArgument(Input::SourceBase source, Impl::Private::SummaryComponent sc) {

rust/ql/lib/codeql/rust/dataflow/internal/Node.qll

@@ -224,7 +224,7 @@ abstract class ArgumentNode extends Node {
 }
 
 final class ExprArgumentNode extends ArgumentNode, ExprNode {
-  private Call call_;
+  private FunctionCall call_;
   private RustDataFlow::ArgumentPosition pos_;
 
   ExprArgumentNode() {
@@ -234,7 +234,7 @@ final class ExprArgumentNode extends ArgumentNode, ExprNode {
   }
 
   override predicate isArgumentOf(DataFlowCall call, RustDataFlow::ArgumentPosition pos) {
-    call.asCall() = call_ and pos = pos_
+    call.asFunctionCall() = call_ and pos = pos_
   }
 }
 
@@ -268,7 +268,7 @@ final class DerefBorrowArgNode extends DerefBorrowNode, ArgumentNode {
   private DataFlowCall call_;
   private RustDataFlow::ArgumentPosition pos_;
 
-  DerefBorrowArgNode() { isArgumentForCall(n, call_.asCall(), pos_) }
+  DerefBorrowArgNode() { isArgumentForCall(n, call_.asFunctionCall(), pos_) }
 
   override predicate isArgumentOf(DataFlowCall call, RustDataFlow::ArgumentPosition pos) {
     call = call_ and pos = pos_
@@ -298,7 +298,7 @@ final class ClosureArgumentNode extends ArgumentNode, ExprNode {
   ClosureArgumentNode() { lambdaCallExpr(call_, _, this.asExpr()) }
 
   override predicate isArgumentOf(DataFlowCall call, RustDataFlow::ArgumentPosition pos) {
-    call.asCall() = call_ and pos.isClosureSelf()
+    call.asFunctionCall() = call_ and pos.isClosureSelf()
   }
 }
 
@@ -346,11 +346,11 @@ abstract class OutNode extends Node {
 }
 
 final private class ExprOutNode extends ExprNode, OutNode {
-  ExprOutNode() { this.asExpr() instanceof Call }
+  ExprOutNode() { this.asExpr() instanceof FunctionCall }
 
   /** Gets the underlying call CFG node that includes this out node. */
   override DataFlowCall getCall(ReturnKind kind) {
-    result.asCall() = n and
+    result.asFunctionCall() = n and
     kind = TNormalReturnKind()
   }
 }
@@ -482,10 +482,8 @@ newtype TNode =
       or
       e =
         [
-          any(IndexExpr i).getBase(), // todo: remove once `IndexExpr`s are treated as calls in data flow
           any(FieldExpr access).getContainer(), //
           any(TryExpr try).getExpr(), //
-          any(PrefixExpr pe | pe.getOperatorName() = "*").getExpr(), //
           any(AwaitExpr a).getExpr(), //
           getPostUpdateReverseStep(any(PostUpdateNode n).getPreUpdateNode().asExpr(), _)
         ]

rust/ql/lib/codeql/rust/elements/Call.qll

@@ -7,22 +7,35 @@ private import internal.CallImpl
 
 final class Call = Impl::Call;
 
+private predicate isClosureCallExpr(CallExpr call) {
+  exists(Expr receiver | receiver = call.getFunction() |
+    // All calls to complex expressions and local variable accesses are lambda calls
+    receiver instanceof PathExpr implies receiver = any(Variable v).getAnAccess()
+  )
+}
+
+private predicate isGuaranteedMethodCall(Call call) {
+  // even if we cannot resolve the target, we know that the following calls always
+  // target functions
+  call instanceof MethodCallExpr
+  or
+  call.(Operation).isOverloaded(_, _, _)
+  or
+  call instanceof IndexExpr
+}
+
 /**
- * A call expression that targets a function.
+ * A call expression that targets a function or a closure.
  *
  * For example, call expressions like `Some(42)` and `x && y` are _not_ function calls.
  */
 final class FunctionCall extends Call {
   FunctionCall() {
     this.getStaticTarget() instanceof Function
     or
-    // even if we cannot resolve the target, we know that the following calls always
-    // target functions
-    this instanceof MethodCallExpr
-    or
-    this.(Operation).isOverloaded(_, _, _)
+    isClosureCallExpr(this)
     or
-    this instanceof IndexExpr
+    isGuaranteedMethodCall(this)
   }
 
   /** Gets the static target of this function call, if any. */
@@ -34,28 +47,20 @@ final class FunctionCall extends Call {
  */
 final class MethodCall extends FunctionCall {
   MethodCall() {
-    this.getStaticTarget().(Function).hasSelfParam()
+    this.getStaticTarget() instanceof Method
     or
-    // even if we cannot resolve the target, we know that the following calls always
-    // target methods
-    this instanceof MethodCallExpr
-    or
-    this.(Operation).isOverloaded(_, _, _)
-    or
-    this instanceof IndexExpr
+    isGuaranteedMethodCall(this)
   }
+
+  /** Gets the static target of this method call, if any. */
+  Method getStaticTarget() { result = super.getStaticTarget() }
 }
 
 /**
  * A call expression that targets a closure.
  *
  * For closure calls, the static target never exists.
  */
-final class ClosureCall extends CallExpr {
-  ClosureCall() {
-    exists(Expr receiver | receiver = this.getFunction() |
-      // All calls to complex expressions and local variable accesses are lambda calls
-      receiver instanceof PathExpr implies receiver = any(Variable v).getAnAccess()
-    )
-  }
+final class ClosureCall extends FunctionCall, CallExpr {
+  ClosureCall() { isClosureCallExpr(this) }
 }

rust/ql/lib/codeql/rust/elements/Method.qll

@@ -0,0 +1,22 @@
+/**
+ * This module provides the public class `Method`.
+ */
+
+private import rust
+
+/**
+ * A method declaration. For example
+ * ```rust
+ * fn foo(self, x: u32) -> u64 { (x + 1).into() }
+ * ```
+ *
+ * A method declaration within a trait might not have a body:
+ * ```rust
+ * trait Trait {
+ *     fn bar(self);
+ * }
+ * ```
+ */
+final class Method extends Function {
+  Method() { this.hasSelfParam() }
+}

rust/ql/lib/codeql/rust/internal/TypeInference.qll

@@ -230,11 +230,6 @@ module Consistency {
   }
 }
 
-/** A method, that is, a function with a `self` parameter. */
-private class Method extends Function {
-  Method() { this.hasSelfParam() }
-}
-
 /** A function without a `self` parameter. */
 private class NonMethodFunction extends Function {
   NonMethodFunction() { not this.hasSelfParam() }

rust/ql/lib/rust.qll

@@ -19,3 +19,4 @@ import codeql.rust.elements.NamedFormatArgument
 import codeql.rust.elements.PositionalFormatArgument
 import codeql.rust.elements.RangeExprExt
 import codeql.rust.elements.Call
+import codeql.rust.elements.Method