Merge pull request #18714 from paldepind/rust-pointer

Rust: Handle writes to references and add encoding of reference content

Author: paldepind

rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll

@@ -1211,6 +1211,17 @@ module RustDataFlow implements InputSig<Location> {
     )
   }
 
+  pragma[nomagic]
+  private predicate referenceAssignment(Node node1, Node node2, ReferenceContent c) {
+    exists(AssignmentExprCfgNode assignment, PrefixExprCfgNode deref |
+      assignment.getLhs() = deref and
+      deref.getOperatorName() = "*" and
+      node1.asExpr() = assignment.getRhs() and
+      node2.asExpr() = deref.getExpr() and
+      exists(c)
+    )
+  }
+
   pragma[nomagic]
   private predicate storeContentStep(Node node1, Content c, Node node2) {
     exists(CallExprCfgNode call, int pos |
@@ -1242,6 +1253,8 @@ module RustDataFlow implements InputSig<Location> {
     or
     fieldAssignment(node1, node2.(PostUpdateNode).getPreUpdateNode(), c)
     or
+    referenceAssignment(node1, node2.(PostUpdateNode).getPreUpdateNode(), c)
+    or
     exists(AssignmentExprCfgNode assignment, IndexExprCfgNode index |
       c instanceof ElementContent and
       assignment.getLhs() = index and
@@ -1285,6 +1298,8 @@ module RustDataFlow implements InputSig<Location> {
   predicate clearsContent(Node n, ContentSet cs) {
     fieldAssignment(_, n, cs.(SingletonContentSet).getContent())
     or
+    referenceAssignment(_, n, cs.(SingletonContentSet).getContent())
+    or
     FlowSummaryImpl::Private::Steps::summaryClearsContent(n.(Node::FlowSummaryNode).getSummaryNode(),
       cs)
     or

rust/ql/lib/codeql/rust/dataflow/internal/FlowSummaryImpl.qll

@@ -89,6 +89,10 @@ module Input implements InputSig<Location, RustDataFlow> {
           arg = v.getExtendedCanonicalPath() + "(" + v.getPosition() + ")"
         )
       or
+      result = "Reference" and
+      c = TReferenceContent() and
+      arg = ""
+      or
       result = "Element" and
       c = TElementContent() and
       arg = ""

rust/ql/src/utils/modelgenerator/internal/CaptureModels.qll

@@ -81,9 +81,8 @@ module ModelGeneratorInput implements ModelGeneratorInputSig<Location, RustDataF
   }
 
   bindingset[c]
-  string paramReturnNodeAsOutput(R::Callable c, ParameterPosition pos) {
-    // TODO: Implement this to support returning through parameters.
-    result = "paramReturnNodeAsOutput(" + c + ", " + pos + ")"
+  string paramReturnNodeAsOutput(Callable c, ParameterPosition pos) {
+    result = paramReturnNodeAsContentOutput(c, pos)
   }
 
   bindingset[c]

rust/ql/test/library-tests/dataflow/global/inline-flow.expected

@@ -42,6 +42,13 @@ edges
 | main.rs:101:13:101:30 | mn.data_through(...) | main.rs:101:9:101:9 | b | provenance |  |
 | main.rs:101:29:101:29 | a | main.rs:77:28:77:33 | ...: i64 | provenance |  |
 | main.rs:101:29:101:29 | a | main.rs:101:13:101:30 | mn.data_through(...) | provenance |  |
+| main.rs:139:25:139:30 | ...: i64 | main.rs:140:10:140:10 | c | provenance |  |
+| main.rs:140:6:140:6 | [post] n [&ref] | main.rs:139:12:139:22 | ...: ... [Return] [&ref] | provenance |  |
+| main.rs:140:10:140:10 | c | main.rs:140:6:140:6 | [post] n [&ref] | provenance |  |
+| main.rs:148:13:148:13 | [post] m [&ref] | main.rs:149:11:149:11 | m [&ref] | provenance |  |
+| main.rs:148:16:148:25 | source(...) | main.rs:139:25:139:30 | ...: i64 | provenance |  |
+| main.rs:148:16:148:25 | source(...) | main.rs:148:13:148:13 | [post] m [&ref] | provenance |  |
+| main.rs:149:11:149:11 | m [&ref] | main.rs:149:10:149:11 | * ... | provenance |  |
 nodes
 | main.rs:12:28:14:1 | { ... } | semmle.label | { ... } |
 | main.rs:13:5:13:13 | source(...) | semmle.label | source(...) |
@@ -92,11 +99,20 @@ nodes
 | main.rs:101:13:101:30 | mn.data_through(...) | semmle.label | mn.data_through(...) |
 | main.rs:101:29:101:29 | a | semmle.label | a |
 | main.rs:102:10:102:10 | b | semmle.label | b |
+| main.rs:139:12:139:22 | ...: ... [Return] [&ref] | semmle.label | ...: ... [Return] [&ref] |
+| main.rs:139:25:139:30 | ...: i64 | semmle.label | ...: i64 |
+| main.rs:140:6:140:6 | [post] n [&ref] | semmle.label | [post] n [&ref] |
+| main.rs:140:10:140:10 | c | semmle.label | c |
+| main.rs:148:13:148:13 | [post] m [&ref] | semmle.label | [post] m [&ref] |
+| main.rs:148:16:148:25 | source(...) | semmle.label | source(...) |
+| main.rs:149:10:149:11 | * ... | semmle.label | * ... |
+| main.rs:149:11:149:11 | m [&ref] | semmle.label | m [&ref] |
 subpaths
 | main.rs:36:26:36:26 | a | main.rs:30:17:30:22 | ...: i64 | main.rs:30:32:32:1 | { ... } | main.rs:36:13:36:27 | pass_through(...) |
 | main.rs:41:26:44:5 | { ... } | main.rs:30:17:30:22 | ...: i64 | main.rs:30:32:32:1 | { ... } | main.rs:41:13:44:6 | pass_through(...) |
 | main.rs:55:26:55:26 | a | main.rs:51:21:51:26 | ...: i64 | main.rs:51:36:53:5 | { ... } | main.rs:55:13:55:27 | pass_through(...) |
 | main.rs:101:29:101:29 | a | main.rs:77:28:77:33 | ...: i64 | main.rs:77:43:83:5 | { ... } | main.rs:101:13:101:30 | mn.data_through(...) |
+| main.rs:148:16:148:25 | source(...) | main.rs:139:25:139:30 | ...: i64 | main.rs:139:12:139:22 | ...: ... [Return] [&ref] | main.rs:148:13:148:13 | [post] m [&ref] |
 testFailures
 #select
 | main.rs:18:10:18:10 | a | main.rs:13:5:13:13 | source(...) | main.rs:18:10:18:10 | a | $@ | main.rs:13:5:13:13 | source(...) | source(...) |
@@ -107,3 +123,4 @@ testFailures
 | main.rs:68:14:68:14 | n | main.rs:94:13:94:21 | source(...) | main.rs:68:14:68:14 | n | $@ | main.rs:94:13:94:21 | source(...) | source(...) |
 | main.rs:89:10:89:10 | a | main.rs:74:13:74:21 | source(...) | main.rs:89:10:89:10 | a | $@ | main.rs:74:13:74:21 | source(...) | source(...) |
 | main.rs:102:10:102:10 | b | main.rs:100:13:100:21 | source(...) | main.rs:102:10:102:10 | b | $@ | main.rs:100:13:100:21 | source(...) | source(...) |
+| main.rs:149:10:149:11 | * ... | main.rs:148:16:148:25 | source(...) | main.rs:149:10:149:11 | * ... | $@ | main.rs:148:16:148:25 | source(...) | source(...) |

rust/ql/test/library-tests/dataflow/global/main.rs

@@ -134,6 +134,29 @@ pub fn test_operator_overloading() {
     sink(d.value); // $ MISSING: hasValueFlow=7
 }
 
+// Flow out of mutable parameters.
+
+fn set_int(n: &mut i64, c: i64) {
+    *n = c;
+}
+
+fn mutates_argument_1() {
+    // Passing an already borrowed value to a function and then reading from the same borrow.
+    let mut n = 0;
+    let m = &mut n;
+    sink(*m);
+    set_int(m, source(37));
+    sink(*m); // $ hasValueFlow=37
+}
+
+fn mutates_argument_2() {
+    // Borrowing at the call and then reading from the unborrowed variable.
+    let mut n = 0;
+    sink(n);
+    set_int(&mut n, source(88));
+    sink(n); // $ MISSING: hasValueFlow=88
+}
+
 fn main() {
     data_out_of_call();
     data_in_to_call();
@@ -145,4 +168,6 @@ fn main() {
     data_through_method();
 
     test_operator_overloading();
+    mutates_argument_1();
+    mutates_argument_2();
 }

rust/ql/test/library-tests/dataflow/global/viableCallable.expected

@@ -29,11 +29,21 @@
 | main.rs:131:28:131:36 | source(...) | main.rs:1:1:3:1 | fn source |
 | main.rs:133:13:133:20 | a.add(...) | main.rs:114:5:117:5 | fn add |
 | main.rs:134:5:134:17 | sink(...) | main.rs:5:1:7:1 | fn sink |
-| main.rs:138:5:138:22 | data_out_of_call(...) | main.rs:16:1:19:1 | fn data_out_of_call |
-| main.rs:139:5:139:21 | data_in_to_call(...) | main.rs:25:1:28:1 | fn data_in_to_call |
-| main.rs:140:5:140:23 | data_through_call(...) | main.rs:34:1:38:1 | fn data_through_call |
-| main.rs:141:5:141:34 | data_through_nested_function(...) | main.rs:48:1:57:1 | fn data_through_nested_function |
-| main.rs:143:5:143:24 | data_out_of_method(...) | main.rs:86:1:90:1 | fn data_out_of_method |
-| main.rs:144:5:144:28 | data_in_to_method_call(...) | main.rs:92:1:96:1 | fn data_in_to_method_call |
-| main.rs:145:5:145:25 | data_through_method(...) | main.rs:98:1:103:1 | fn data_through_method |
-| main.rs:147:5:147:31 | test_operator_overloading(...) | main.rs:120:1:135:1 | fn test_operator_overloading |
+| main.rs:147:5:147:12 | sink(...) | main.rs:5:1:7:1 | fn sink |
+| main.rs:148:5:148:26 | set_int(...) | main.rs:139:1:141:1 | fn set_int |
+| main.rs:148:16:148:25 | source(...) | main.rs:1:1:3:1 | fn source |
+| main.rs:149:5:149:12 | sink(...) | main.rs:5:1:7:1 | fn sink |
+| main.rs:155:5:155:11 | sink(...) | main.rs:5:1:7:1 | fn sink |
+| main.rs:156:5:156:31 | set_int(...) | main.rs:139:1:141:1 | fn set_int |
+| main.rs:156:21:156:30 | source(...) | main.rs:1:1:3:1 | fn source |
+| main.rs:157:5:157:11 | sink(...) | main.rs:5:1:7:1 | fn sink |
+| main.rs:161:5:161:22 | data_out_of_call(...) | main.rs:16:1:19:1 | fn data_out_of_call |
+| main.rs:162:5:162:21 | data_in_to_call(...) | main.rs:25:1:28:1 | fn data_in_to_call |
+| main.rs:163:5:163:23 | data_through_call(...) | main.rs:34:1:38:1 | fn data_through_call |
+| main.rs:164:5:164:34 | data_through_nested_function(...) | main.rs:48:1:57:1 | fn data_through_nested_function |
+| main.rs:166:5:166:24 | data_out_of_method(...) | main.rs:86:1:90:1 | fn data_out_of_method |
+| main.rs:167:5:167:28 | data_in_to_method_call(...) | main.rs:92:1:96:1 | fn data_in_to_method_call |
+| main.rs:168:5:168:25 | data_through_method(...) | main.rs:98:1:103:1 | fn data_through_method |
+| main.rs:170:5:170:31 | test_operator_overloading(...) | main.rs:120:1:135:1 | fn test_operator_overloading |
+| main.rs:171:5:171:24 | mutates_argument_1(...) | main.rs:143:1:150:1 | fn mutates_argument_1 |
+| main.rs:172:5:172:24 | mutates_argument_2(...) | main.rs:152:1:158:1 | fn mutates_argument_2 |