Merge pull request #20966 from geoffw0/lifetimetest

Rust: Fix FPs from rust/access-after-lifetime-ended

Author: geoffw0

rust/ql/lib/codeql/rust/security/AccessAfterLifetimeExtensions.qll

@@ -102,7 +102,7 @@ module AccessAfterLifetime {
     // propagate through function calls
     exists(Call call |
       mayEncloseOnStack(a, call.getEnclosingBlock()) and
-      call.getStaticTarget() = b.getEnclosingCallable()
+      call.getARuntimeTarget() = b.getEnclosingCallable()
     )
   }
 

rust/ql/src/change-notes/2025-12-04-access-after-lifetime-ended.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Fixed false positives from the `rust/access-after-lifetime-ended` query, involving calls to trait methods.

rust/ql/test/query-tests/security/CWE-825/AccessAfterLifetime.expected

@@ -194,6 +194,10 @@ edges
 | lifetime.rs:798:9:798:12 | &val | lifetime.rs:798:2:798:12 | return ... | provenance |  |
 | lifetime.rs:802:6:802:8 | ptr | lifetime.rs:808:23:808:25 | ptr | provenance |  |
 | lifetime.rs:802:12:802:24 | get_pointer(...) | lifetime.rs:802:6:802:8 | ptr | provenance |  |
+| lifetime.rs:841:13:841:27 | ...: ... | lifetime.rs:843:12:843:14 | ptr | provenance |  |
+| lifetime.rs:851:6:851:8 | ptr | lifetime.rs:853:20:853:22 | ptr | provenance |  |
+| lifetime.rs:851:12:851:23 | &local_value | lifetime.rs:851:6:851:8 | ptr | provenance |  |
+| lifetime.rs:853:20:853:22 | ptr | lifetime.rs:841:13:841:27 | ...: ... | provenance |  |
 | main.rs:18:9:18:10 | p1 [&ref] | main.rs:21:19:21:20 | p1 | provenance |  |
 | main.rs:18:9:18:10 | p1 [&ref] | main.rs:29:19:29:20 | p1 | provenance |  |
 | main.rs:18:14:18:29 | ...::as_ptr(...) [&ref] | main.rs:18:9:18:10 | p1 [&ref] | provenance |  |
@@ -409,6 +413,11 @@ nodes
 | lifetime.rs:802:6:802:8 | ptr | semmle.label | ptr |
 | lifetime.rs:802:12:802:24 | get_pointer(...) | semmle.label | get_pointer(...) |
 | lifetime.rs:808:23:808:25 | ptr | semmle.label | ptr |
+| lifetime.rs:841:13:841:27 | ...: ... | semmle.label | ...: ... |
+| lifetime.rs:843:12:843:14 | ptr | semmle.label | ptr |
+| lifetime.rs:851:6:851:8 | ptr | semmle.label | ptr |
+| lifetime.rs:851:12:851:23 | &local_value | semmle.label | &local_value |
+| lifetime.rs:853:20:853:22 | ptr | semmle.label | ptr |
 | main.rs:18:9:18:10 | p1 [&ref] | semmle.label | p1 [&ref] |
 | main.rs:18:14:18:29 | ...::as_ptr(...) [&ref] | semmle.label | ...::as_ptr(...) [&ref] |
 | main.rs:18:26:18:28 | &b1 | semmle.label | &b1 |

rust/ql/test/query-tests/security/CWE-825/lifetime.rs

@@ -827,3 +827,33 @@ pub fn test_lifetimes_example_good() {
 
 	println!("	val = {dereferenced_ptr}");
 }
+
+// --- generic calls ---
+
+trait Processor {
+	fn process(ptr: *const i64) -> i64;
+}
+
+struct MyProcessor {
+}
+
+impl Processor for MyProcessor {
+	fn process(ptr: *const i64) -> i64 {
+		unsafe {
+			return *ptr; // good
+		}
+	}
+}
+
+fn generic_caller<T: Processor>() -> i64
+{
+	let local_value: i64 = 10;
+	let ptr = &local_value as *const i64;
+
+	return T::process(ptr);
+}
+
+pub fn test_generic() {
+	let result = generic_caller::<MyProcessor>();
+	println!("	result = {result}");
+}

rust/ql/test/query-tests/security/CWE-825/main.rs

@@ -209,4 +209,7 @@ fn main() {
 
     println!("test_lifetimes_example_good:");
     test_lifetimes_example_good();
+
+    println!("test_generic:");
+    test_generic();
 }