wip

Author: hvitved

rust/ql/lib/codeql/rust/elements/internal/FunctionImpl.qll

@@ -69,5 +69,8 @@ module Impl {
       this.getLocation().getStartLine() <= result.getLocation().getStartLine() and
       result.getLocation().getStartLine() <= this.getName().getLocation().getStartLine()
     }
+
+    pragma[nomagic]
+    predicate hasSelfParam() { this.getParamList().hasSelfParam() }
   }
 }

rust/ql/lib/codeql/rust/internal/TypeInference.qll

@@ -773,7 +773,7 @@ class FunctionPosition extends TFunctionPosition {
     this.isReturn() and
     result = this
     or
-    if f.getParamList().hasSelfParam()
+    if f.hasSelfParam()
     then
       this.isSelf() and result.asPositional() = 0
       or
@@ -870,6 +870,8 @@ private module FunctionOverloading {
    * Holds if type parameter `tp` of `trait` occurs in the function with the name
    * `functionName` at the `pos`th parameter at `path`.
    *
+   * TODO: Update
+   *
    * The special position `-1` refers to the return type of the function, which
    * is sometimes needed to disambiguate associated function calls like
    * `Default::default()` (in this case, `tp` is the special `Self` type parameter).
@@ -951,7 +953,7 @@ private newtype TFunctionPositionType =
   MkFunctionPositionType(Function f, FunctionPosition pos, ImplOrTraitItemNode i) {
     f = i.getAnAssocItem() and
     (
-      f.getParamList().hasSelfParam() and
+      f.hasSelfParam() and
       pos.asArgumentPosition().isSelf()
       or
       exists(f.getParam(pos.asPositional()))
@@ -1083,7 +1085,7 @@ private class FunctionPositionType extends TFunctionPositionType {
       result = f.getParam(pos.asPositional())
       or
       pos.isReturn() and
-      result = f.getRetType()
+      result = f.getRetType().getTypeRepr()
     )
   }
 
@@ -1107,7 +1109,8 @@ private module MethodCallResolution {
    */
   pragma[nomagic]
   predicate methodCandidate(
-    Type type, string name, int arity, ImplOrTraitItemNode i, FunctionPositionType self
+    Type type, string name, int arity, ImplOrTraitItemNode i, FunctionPositionType self,
+    Type selfType
   ) {
     exists(Function f, FunctionPosition pos |
       f = i.getASuccessor(name) and
@@ -1116,13 +1119,17 @@ private module MethodCallResolution {
       self.appliesTo(f, pos, i) and
       pos.isSelf() and
       not i.(ImplItemNode).isBlanket()
+    |
+      selfType = i.(Impl).getSelfTy().(TypeMention).resolveType()
+      or
+      selfType = TTrait(i)
     )
   }
 
   pragma[nomagic]
   private predicate methodCandidateImplTrait(string name, int arity, Trait trait) {
     exists(ImplItemNode i |
-      methodCandidate(_, name, arity, i, _) and
+      methodCandidate(_, name, arity, i, _, _) and
       trait = i.resolveTraitTy()
     )
   }
@@ -1151,7 +1158,7 @@ private module MethodCallResolution {
   ) {
     exists(string name, int arity |
       mc.isMethodCall(name, arity) and
-      methodCandidate(type, name, arity, i, self) //and
+      methodCandidate(type, name, arity, i, self, _) //and
     |
       // not CertainTypeInference::inferCertainType(mc.getReceiver(), TypePath::nil()) != type
       not exists(i.(ImplItemNode).resolveTraitTy())
@@ -1389,7 +1396,7 @@ private module MethodCallResolution {
       exists(Type type, string name, int arity |
         this.isMethodCall(_, type, name, arity) and
         forall(Impl impl |
-          methodCandidate(type, name, arity, impl, _) and
+          methodCandidate(type, name, arity, impl, _, _) and
           not impl.hasTrait()
         |
           this.isNotInherentTarget(impl)
@@ -1656,22 +1663,37 @@ private module FunctionCallResolution {
 
   /** A function call, `f(x)`. */
   final class FunctionCall extends CallExpr {
-    // FunctionCall() { this = Debug::getRelevantLocatable() }
-    private ItemNode getResolvedFunction() { result = CallExprImpl::getResolvedFunction(this) }
+    private ItemNode getPathResolutionResolvedFunction() {
+      result = CallExprImpl::getResolvedFunction(this)
+    }
+
+    // The `Self` type is supplied explicitly as a type qualifier, e.g. `Foo::<Bar>::baz()`
+    pragma[nomagic]
+    Type getQualifierType(TypePath path) {
+      exists(PathExpr pe, TypeMention tm |
+        pe = this.getFunction() and
+        tm = pe.getPath().getQualifier() and
+        result = tm.resolveTypeAt(path) and
+        not resolvePath(tm) instanceof Trait
+      )
+    }
 
     /**
      * Holds if the target of this call is ambigous, and type information is required
      * to disambiguate.
      */
-    predicate isAmbigous() {
+    private predicate isAmbigous() {
       this.(Call).hasTrait()
       or
-      functionResolutionDependsOnArgument(_, _, this.getResolvedFunction(), _, _, _)
+      functionResolutionDependsOnArgument(_, _, this.getPathResolutionResolvedFunction(), _, _, _)
     }
 
     pragma[nomagic]
-    Function getAnAmbigousCandidate0(ImplItemNode impl, FunctionPosition pos, Function resolved) {
-      resolved = this.getResolvedFunction() and
+    Function getAnAmbigousCandidate0(
+      ImplOrTraitItemNode impl, FunctionPosition pos, Function resolved
+    ) {
+      // this = Debug::getRelevantLocatable() and
+      resolved = this.getPathResolutionResolvedFunction() and
       (
         exists(TraitItemNode trait |
           trait = this.(Call).getTrait() and
@@ -1680,16 +1702,25 @@ private module FunctionCallResolution {
         |
           functionResolutionDependsOnArgument(impl, _, result, pos, _, _)
           or
-          exists(TypeParameter tp | traitTypeParameterOccurrence(trait, resolved, _, pos, _, tp) |
-            not pos.isReturn()
-            or
-            // We only check that the context of the call provides relevant type information
-            // when no argument can
-            not traitTypeParameterOccurrence(trait, resolved, _,
-              any(FunctionPosition pos0 | not pos0.isReturn()), _, _)
-          )
+          if resolved.hasSelfParam()
+          then
+            // always check the `self` type in method calls
+            pos.isSelf()
+          else
+            // todo: remove tp
+            exists(TypeParameter tp | traitTypeParameterOccurrence(trait, resolved, _, pos, _, tp) |
+              not pos.isReturn()
+              or
+              // We only check that the context of the call provides relevant type information
+              // when no argument can
+              not exists(FunctionPosition pos0 |
+                traitTypeParameterOccurrence(trait, resolved, _, pos0, _, tp) and
+                not pos0.isReturn()
+              )
+            )
         )
         or
+        not this.(Call).hasTrait() and
         result = resolved and
         functionResolutionDependsOnArgument(impl, _, result, pos, _, _)
       )
@@ -1704,7 +1735,9 @@ private module FunctionCallResolution {
      * `resolved` is the corresponding function resolved through path resolution.
      */
     pragma[nomagic]
-    Function getAnAmbigousCandidate(ImplItemNode impl, FunctionPosition pos, Function resolved) {
+    Function getAnAmbigousCandidate(
+      ImplOrTraitItemNode impl, FunctionPosition pos, Function resolved
+    ) {
       exists(FunctionPosition pos0 |
         result = this.getAnAmbigousCandidate0(impl, pos0, resolved) and
         pos = pos0.getFunctionCallAdjusted(result)
@@ -1715,7 +1748,7 @@ private module FunctionCallResolution {
      * Same as `getAnAmbigousCandidate`, ranks the positions to be checked.
      */
     private Function getAnAmbigousCandidateRanked(
-      ImplItemNode impl, FunctionPosition pos, Function f, int rnk
+      ImplOrTraitItemNode impl, FunctionPosition pos, Function f, int rnk
     ) {
       pos =
         rank[rnk + 1](FunctionPosition pos0, int i1, int i2 |
@@ -1732,7 +1765,7 @@ private module FunctionCallResolution {
 
     pragma[nomagic]
     private Function resolveAmbigousFunctionCallTargetFromIndex(int index) {
-      exists(Impl impl, FunctionPosition pos, Function resolved |
+      exists(ImplOrTraitItemNode impl, FunctionPosition pos, Function resolved |
         IsInstantiationOf<AmbigousFunctionCall, FunctionPositionType, AmbigousFuncIsInstantiationOfInput>::isInstantiationOf(MkAmbigousFunctionCall(this,
             resolved, pos), impl, _) and
         result = this.getAnAmbigousCandidateRanked(impl, pos, resolved, index)
@@ -1759,7 +1792,7 @@ private module FunctionCallResolution {
      */
     pragma[nomagic]
     private ItemNode resolveUnambigousFunctionCallTarget() {
-      result = this.getResolvedFunction() and
+      result = this.getPathResolutionResolvedFunction() and
       not this.isAmbigous()
     }
 
@@ -1785,13 +1818,24 @@ private module FunctionCallResolution {
     AmbigousFunctionCall() { this = MkAmbigousFunctionCall(call, resolved, pos) }
 
     pragma[nomagic]
-    Type getTypeAt(TypePath path) {
+    private Type getTypeAt0(TypePath path) {
       result = inferType(call.(CallExpr).getArg(pos.asPositional()), path)
       or
+      // pos.asPositional() = 0 and
+      // result = call.getQualifierType(path)
+      // or
       pos.isReturn() and
       result = inferType(call, path)
     }
 
+    pragma[nomagic]
+    Type getTypeAt(TypePath path) {
+      result = this.getTypeAt0(path) and
+      not exists(getATraitBound(result))
+      or
+      result = TTrait(getATraitBound(this.getTypeAt0(path)))
+    }
+
     string toString() { result = call.toString() + " (pos: " + pos + ")" }
 
     Location getLocation() { result = call.getLocation() }
@@ -1937,9 +1981,7 @@ private module FunctionCallMatchingInput implements MatchingInputSig {
       exists(Param p, int i |
         p = this.getParam(i) and
         result = p.getTypeRepr().(TypeMention).resolveTypeAt(path) and
-        if this.getParamList().hasSelfParam()
-        then dpos.asPositional() = i + 1
-        else dpos.asPositional() = i
+        if this.hasSelfParam() then dpos.asPositional() = i + 1 else dpos.asPositional() = i
       )
       or
       dpos.asPositional() = 0 and
@@ -1992,14 +2034,8 @@ private module FunctionCallMatchingInput implements MatchingInputSig {
 
     pragma[nomagic]
     Type getInferredType(AccessPosition apos, TypePath path) {
-      // The `Self` type is supplied explicitly as a type qualifier, e.g. `Foo::<Bar>::baz()`
       apos.asArgumentPosition().isSelf() and
-      exists(PathExpr pe, TypeMention tm |
-        pe = this.getFunction() and
-        tm = pe.getPath().getQualifier() and
-        result = tm.resolveTypeAt(path) and
-        not resolvePath(tm) instanceof Trait
-      )
+      result = this.getQualifierType(path)
       or
       result = inferType(this.getNodeAt(apos), path)
     }
@@ -2028,6 +2064,7 @@ private Type inferCallExprType(AstNode n, TypePath path) {
 private module OperationResolution {
   /** An operation, `x + y`. */
   final class Op extends Operation {
+    // Op() { none() }
     pragma[nomagic]
     private Type getTypeAt0(TypePath path) {
       if this.(Call).implicitBorrowAt(any(ArgumentPosition pos | pos.isSelf()), true)
@@ -2099,7 +2136,7 @@ private module OperationResolution {
       Type type, Trait trait, string name, int arity, ImplOrTraitItemNode i,
       FunctionPositionType self
     ) {
-      MethodCallResolution::methodCandidate(type, name, arity, i, self) and
+      MethodCallResolution::methodCandidate(type, name, arity, i, self, _) and
       (
         trait = i.(ImplItemNode).resolveTraitTy()
         or
@@ -2109,9 +2146,10 @@ private module OperationResolution {
 
     pragma[nomagic]
     predicate potentialInstantiationOf(Op op, TypeAbstraction abs, FunctionPositionType constraint) {
-      exists(Type type, Trait trait, string name, int arity |
+      exists(Type type, Trait trait, string name, int arity, Type selfType |
         op.isOperation(type, trait, name, arity) and
-        MethodCallResolution::methodCandidate(type, name, arity, abs, constraint)
+        MethodCallResolution::methodCandidate(type, name, arity, abs, constraint, selfType) and
+        op.getTypeAt(_) = selfType
       |
         trait = abs.(ImplItemNode).resolveTraitTy()
         or
@@ -3035,7 +3073,7 @@ private module Debug {
       // filepath.matches("%/crates/wdk-macros/src/lib.rs") and
       // endline = [255 .. 256]
       filepath.matches("%/main.rs") and
-      startline = 2318
+      startline = 120
     )
   }
 

rust/ql/test/library-tests/dataflow/sources/CONSISTENCY/PathResolutionConsistency.expected

@@ -10,12 +10,7 @@ multipleCallTargets
 | test.rs:169:26:169:111 | ...::_print(...) |
 | test.rs:179:30:179:68 | ...::_print(...) |
 | test.rs:188:26:188:105 | ...::_print(...) |
-| test.rs:217:22:217:62 | ... .read_to_end(...) |
-| test.rs:223:22:223:65 | ... .read_to_string(...) |
 | test.rs:229:22:229:72 | ... .read_to_string(...) |
-| test.rs:235:9:235:48 | ... .read_exact(...) |
-| test.rs:513:22:513:50 | file.read_to_end(...) |
-| test.rs:519:22:519:53 | file.read_to_string(...) |
 | test.rs:639:26:639:43 | file1.chain(...) |
 | test.rs:647:26:647:40 | file1.take(...) |
 | test.rs:697:18:697:38 | ...::_print(...) |

rust/ql/test/library-tests/dataflow/sources/InlineFlow.expected

@@ -1,9 +1,3 @@
-| test.rs:319:14:319:20 | &buffer | Fixed missing result: hasTaintFlow |
-| test.rs:326:14:326:20 | &buffer | Fixed missing result: hasTaintFlow |
-| test.rs:333:14:333:20 | &buffer | Fixed missing result: hasTaintFlow |
-| test.rs:592:14:592:20 | &buffer | Fixed missing result: hasTaintFlow="file.txt" |
-| test.rs:598:14:598:20 | &buffer | Fixed missing result: hasTaintFlow="file.txt" |
-| test.rs:604:14:604:20 | &buffer | Fixed missing result: hasTaintFlow="file.txt" |
 | test.rs:641:14:641:20 | &buffer | Fixed missing result: hasTaintFlow="another_file.txt" |
 | test.rs:641:14:641:20 | &buffer | Fixed missing result: hasTaintFlow="file.txt" |
 | test.rs:649:14:649:20 | &buffer | Fixed missing result: hasTaintFlow="file.txt" |