temp

Author: hvitved

rust/ql/lib/codeql/rust/internal/typeinference/BlanketImplementation.qll

@@ -96,7 +96,7 @@ module SatisfiesBlanketConstraint<
 
     Type getTypeAt(TypePath path) {
       result = at.getTypeAt(blanketPath.appendInverse(path)) and
-      not result instanceof UnknownType
+      not result instanceof PseudoType
     }
 
     string toString() { result = at.toString() + " [blanket at " + blanketPath.toString() + "]" }

rust/ql/lib/codeql/rust/internal/typeinference/FunctionType.qll

@@ -329,7 +329,7 @@ module ArgIsInstantiationOf<ArgSig Arg, IsInstantiationOfInputSig<Arg, AssocFunc
   private class ArgSubst extends ArgFinal {
     Type getTypeAt(TypePath path) {
       result = substituteLookupTraits0(this.getEnclosingItemNode(), super.getTypeAt(path)) and
-      not result instanceof UnknownType
+      not result instanceof PseudoType
     }
   }
 

rust/ql/lib/codeql/rust/internal/typeinference/Type.qll

@@ -354,8 +354,6 @@ class PtrConstType extends PtrType {
 
 abstract class PseudoType extends Type {
   override TypeParameter getPositionalTypeParameter(int i) { none() }
-
-  override Location getLocation() { result instanceof EmptyLocation }
 }
 
 /**
@@ -382,6 +380,8 @@ abstract class PseudoType extends Type {
  */
 class UnknownType extends PseudoType, TUnknownType {
   override string toString() { result = "(unknown type)" }
+
+  override Location getLocation() { result instanceof EmptyLocation }
 }
 
 class ClosureParameterPseudoType extends PseudoType, TClosureParameterPseudoType {
@@ -392,6 +392,8 @@ class ClosureParameterPseudoType extends PseudoType, TClosureParameterPseudoType
   Param getParam() { result = param }
 
   override string toString() { result = "(closure parameter " + param + ")" }
+
+  override Location getLocation() { result = param.getLocation() }
 }
 
 /** A type parameter. */

rust/ql/lib/codeql/rust/internal/typeinference/TypeInference.qll

@@ -293,6 +293,7 @@ private module Input3 implements InputSig3 {
 
   class AstNode = Rust::AstNode;
 
+  // todo: remove
   TypeMention getTypeAnnotation(AstNode n) {
     exists(Static static |
       n = static and
@@ -1847,7 +1848,7 @@ private module AssocFunctionResolution {
       not this.hasReceiver() and
       exists(TypePath strippedTypePath, Type strippedType |
         strippedType = substituteLookupTraits(this, this.getTypeAt(selfPos, strippedTypePath)) and
-        not strippedType instanceof UnknownType
+        not strippedType instanceof PseudoType
       |
         nonBlanketLikeCandidate(this, _, selfPos, _, _, strippedTypePath, strippedType)
         or
@@ -1943,7 +1944,7 @@ private module AssocFunctionResolution {
       FunctionPosition selfPos, DerefChain derefChain, BorrowKind borrow, TypePath path
     ) {
       result = this.getSelfTypeAt(selfPos, derefChain, borrow, path) and
-      not result instanceof UnknownType
+      not result instanceof PseudoType
     }
 
     pragma[nomagic]
@@ -2602,7 +2603,7 @@ private module AssocFunctionResolution {
 
       Type getTypeAt(TypePath path) {
         result = substituteLookupTraits(afc, afc.getSelfTypeAtNoBorrow(selfPos, derefChain, path)) and
-        not result instanceof UnknownType
+        not result instanceof PseudoType
       }
 
       string toString() { result = afc + " [" + derefChain.toString() + "]" }

rust/ql/test/query-tests/security/CWE-089/CONSISTENCY/PathResolutionConsistency.expected

@@ -1,3 +1,6 @@
+multipleResolvedTargets
+| sqlx.rs:158:13:158:24 | query_args.add(...) |
+| sqlx.rs:160:17:160:28 | query_args.add(...) |
 multiplePathResolutions
 | mysql.rs:5:37:5:74 | Result::<...> |
 | mysql.rs:26:20:26:44 | Result::<...> |

rust/ql/test/utils-tests/modelgenerator/CaptureSummaryModels.expected

@@ -1,2 +1,8 @@
 unexpectedModel
+| Unexpected summary found: <test::option::MyOption>::as_deref;Argument[self].Reference.Field[test::option::MyOption::MySome(0)];ReturnValue.Field[test::option::MyOption::MySome(0)].Reference;value;dfc-generated |
+| Unexpected summary found: <test::option::MyOption>::as_deref;Argument[self].Reference.Field[test::option::MyOption::MySome(0)];ReturnValue.Field[test::option::MyOption::MySome(0)];value;dfc-generated |
+| Unexpected summary found: <test::option::MyOption>::as_deref_mut;Argument[self].Reference.Field[test::option::MyOption::MySome(0)];ReturnValue.Field[test::option::MyOption::MySome(0)].Reference;value;dfc-generated |
 expectedModel
+| Expected summary missing: <test::option::MyOption>::as_deref;Argument[self].Reference.Field[test::option::MyOption::MySome(0)];ReturnValue.Field[test::option::MyOption::MySome(0)].Reference;taint;dfc-generated |
+| Expected summary missing: <test::option::MyOption>::map;Argument[self].Field[test::option::MyOption::MySome(0)].Reference;ReturnValue.Field[test::option::MyOption::MySome(0)].Reference;taint;dfc-generated |
+| Expected summary missing: <test::option::MyOption>::map;Argument[self].Field[test::option::MyOption::MySome(0)];Argument[0].Parameter[0];value;dfc-generated |

shared/typeinference/codeql/typeinference/internal/TypeInference.qll

@@ -2471,7 +2471,30 @@ module Make1<LocationSig Location, InputSig1<Location> Input1> {
         TypeMention getReturnType();
       }
 
-      /** A special pseudo type representing a particular closure parameter. */
+      /**
+       * A special pseudo type representing a particular closure parameter.
+       *
+       * This is needed in cases where the type of a closure parameter must be
+       * inferred from the inferred _return type_ of the closure. For example,
+       * in
+       *
+       * ```rust
+       * let c = |x| x;
+       * let r: i32 = c(42);
+       * ```
+       *
+       * by assigning `x` the pseudo type `T_x`, we can
+       *
+       * 1. bottom-up infer that `c` has type `Fn(_) -> T_x`,
+       * 2. this enables us to detect that contextual inference is needed, so we also
+       *    assign `c` the type `Fn(_) -> UnknownType`,
+       * 3. using bottom-up inference allows us to infer that `c(42)` must have
+       *    `UnknownType`,
+       * 4. using contextual inference allows us to infer that `c` has type `Fn(_) -> i32`, and
+       * 5. finally since `c` also has type `Fn(_) -> T_x`, we conclude that `x` has type `i32`.
+       *
+       * . Then, when we propagate type information downwards from the
+       */
       class ClosureParameterPseudoType extends PseudoType;
 
       /** Gets the pseudo type corresponding to closure parameter `p`. */
@@ -2554,6 +2577,15 @@ module Make1<LocationSig Location, InputSig1<Location> Input1> {
         )
       }
 
+      private predicate closureStep(AstNode n1, TypePath path1, Closure n2, TypePath path2) {
+        exists(int index, Parameter p |
+          n1 = p.getPattern() and
+          p = n2.getParameter(index) and
+          path1.isEmpty() and
+          path2 = getClosureParameterTypePath(p)
+        )
+      }
+
       /** Provides logic for inferring certain type information. */
       private module Certain {
         predicate stepCertain(AstNode n1, TypePath path1, AstNode n2, TypePath path2) {
@@ -2572,27 +2604,17 @@ module Make1<LocationSig Location, InputSig1<Location> Input1> {
             or
             n1 = n2.(ParenExpr).getExpr()
           )
-          or
-          exists(Closure c, int index, Parameter p |
-            path1.isEmpty() and
-            p = c.getParameter(index)
-          |
-            n1 = p and
-            n2 = c and
-            path2 = getClosureParameterTypePath(n1)
-            or
-            n1 = p.getPattern() and
-            n2 = p and
-            path2.isEmpty()
-          )
         }
 
         pragma[nomagic]
         private Type inferTypeFromStepCertain(AstNode n, TypePath path) {
           exists(TypePath path1, AstNode n2, TypePath path2, TypePath suffix |
             result = inferTypeCertain(n2, path2.appendInverse(suffix)) and
-            path = path1.append(suffix) and
+            path = path1.append(suffix)
+          |
             stepCertain(n2, path2, n, path1)
+            or
+            closureStep(n2, path2, n, path1)
           )
         }
 
@@ -2716,8 +2738,12 @@ module Make1<LocationSig Location, InputSig1<Location> Input1> {
       private Type inferTypeFromStep(AstNode n, TypePath path) {
         exists(TypePath path1, AstNode n2, TypePath path2, TypePath suffix |
           result = inferType(n2, path2.appendInverse(suffix)) and
-          path = path1.append(suffix) and
+          path = path1.append(suffix)
+        |
           step(n2, path2, n, path1)
+          or
+          closureStep(n2, path2, n, path1) and
+          not result = getClosureParameterPseudoType(n.(Closure).getParameter(_))
         )
       }
 
@@ -2752,8 +2778,11 @@ module Make1<LocationSig Location, InputSig1<Location> Input1> {
         or
         exists(TypePath path1, AstNode n2, TypePath path2, TypePath suffix |
           result = inferType(n2, path2.appendInverse(suffix)) and
-          path = path1.append(suffix) and
+          path = path1.append(suffix)
+        |
           step(n, path1, n2, path2)
+          or
+          closureStep(n, path1, n2, path2)
         )
       }
 
@@ -2765,31 +2794,43 @@ module Make1<LocationSig Location, InputSig1<Location> Input1> {
         prefix = path.getAPrefix()
       }
 
-      private Type inferClosureType(AstNode n, TypePath path) {
+      pragma[nomagic]
+      private predicate hasClosureParameterPseudoType(AstNode n, Parameter p, TypePath path) {
+        inferType0(n, path) = getClosureParameterPseudoType(p)
+      }
+
+      /**
+       * If the type of a parameter occurs in the inferred return type of the closure,
+       * allow for contextual inference based on the inferred return type to propagate
+       * type information into the parameter
+       */
+      private Type inferClosureParameterType(AstNode n, TypePath path) {
         exists(Closure c, Parameter p | p = c.getParameter(_) |
-          n = p.getPattern() and
-          path.isEmpty() and
-          result = getClosureParameterPseudoType(p)
-          or
-          exists(TypePath ret | inferType(c, ret) = getClosureParameterPseudoType(p) |
+          not exists(p.getType()) and
+          (
+            n = p.getPattern() and
+            path.isEmpty() and
+            result = getClosureParameterPseudoType(p)
+            or
             n = c and
-            path = ret and
+            path = getClosureParameterTypePath(p) and
             result instanceof UnknownType
             or
-            inferType(c, ret.appendInverse(path)) = result and
             n = p.getPattern() and
+            result = inferType(c, getClosureParameterTypePath(p).appendInverse(path)) and
             not result instanceof UnknownType
           )
           or
+          hasClosureParameterPseudoType(c, p, path) and
+          n = c and
+          result instanceof UnknownType
+          or
           exists(AstNode n0, TypePath prefix |
-            inferType(n0, prefix) = getClosureParameterPseudoType(p) and
-            result = inferTypeCertain(n0, prefix.appendInverse(path)) and
-            n = p.getPattern()
+            hasClosureParameterPseudoType(n0, p, prefix) and
+            result = inferType(n0, prefix.appendInverse(path)) and
+            n = p.getPattern() and
+            not result instanceof UnknownType
           )
-          // or
-          // n = p.getPattern() and
-          // result = inferType(p, path) and
-          // not result instanceof UnknownType
         )
       }
 
@@ -2815,7 +2856,7 @@ module Make1<LocationSig Location, InputSig1<Location> Input1> {
         or
         result = inferConstructionReturnType(n, path)
         or
-        result = inferClosureType(n, path)
+        result = inferClosureParameterType(n, path)
         or
         // contextual typing: only propagate type information from surrounding context
         // into a node which has an explicitly unknown type
@@ -2842,7 +2883,12 @@ module Make1<LocationSig Location, InputSig1<Location> Input1> {
         |
           not Certain::certainTypeConflict(n, prefix, path, result)
           or
-          result instanceof PseudoType and not result instanceof UnknownType // todo
+          // propagate closure parameter pseudo types even when there is certain information,
+          // but prevent propagation outside of the closure
+          exists(Parameter p |
+            result = getClosureParameterPseudoType(p) and
+            not p = n.(Closure).getParameter(_)
+          )
         )
         or
         // If `n` has an explicitly unknown type at `prefix` and at the same time a certain