Rust: Model Deref trait in type inference

Author: hvitved

rust/ql/lib/codeql/rust/internal/TypeInference.qll

@@ -1553,24 +1553,13 @@ private module MethodResolution {
      * Same as `getACandidateReceiverTypeAt`, but without borrows.
      */
     pragma[nomagic]
-    private Type getACandidateReceiverTypeAtNoBorrow(string derefChain, TypePath path) {
+    Type getACandidateReceiverTypeAtNoBorrow(string derefChain, TypePath path) {
       result = this.getReceiverTypeAt(path) and
       derefChain = ""
       or
-      this.supportsAutoDerefAndBorrow() and
-      exists(TypePath path0, Type t0, string derefChain0 |
-        this.hasNoCompatibleTargetMutBorrow(derefChain0) and
-        t0 = this.getACandidateReceiverTypeAtNoBorrow(derefChain0, path0)
-      |
-        path0.isCons(getRefTypeParameter(), path) and
-        result = t0 and
-        derefChain = derefChain0 + ".ref"
-        or
-        path0.isEmpty() and
-        path = path0 and
-        t0 = getStringStruct() and
-        result = getStrStruct() and
-        derefChain = derefChain0 + ".str"
+      exists(ImplicitDeref::DerefImplItemNode impl, string derefChain0 |
+        result = ImplicitDeref::getDereferencedCandidateReceiverType(this, impl, derefChain0, path) and
+        derefChain = derefChain0 + "." + impl.getId()
       )
     }
 
@@ -1818,8 +1807,11 @@ private module MethodResolution {
     }
 
     predicate receiverHasImplicitDeref(AstNode receiver) {
-      exists(this.resolveCallTarget(_, ".ref", TNoBorrowKind())) and
-      receiver = this.getArg(any(ArgumentPosition pos | pos.isSelf()))
+      exists(ImplicitDeref::DerefImplItemNode impl |
+        impl.isRefImpl() and
+        exists(this.resolveCallTarget(_, "." + impl.getId(), TNoBorrowKind())) and
+        receiver = this.getArg(any(ArgumentPosition pos | pos.isSelf()))
+      )
     }
 
     predicate argumentHasImplicitBorrow(AstNode arg, BorrowKind borrow) {
@@ -2089,6 +2081,98 @@ private module MethodResolution {
     Location getLocation() { result = mc_.getLocation() }
   }
 
+  module ImplicitDeref {
+    private import codeql.rust.elements.internal.generated.Raw
+    private import codeql.rust.elements.internal.generated.Synth
+
+    /** An `impl` block that implements the `Deref` trait. */
+    class DerefImplItemNode extends ImplItemNode {
+      DerefImplItemNode() { this.resolveTraitTy() instanceof DerefTrait }
+
+      /**
+       * Holds if this `impl` block is the special `Deref` implementation for
+       * `&T` or `&mut T`:
+       *
+       * ```rust
+       * impl<T: ?Sized> const Deref for &T
+       * ```
+       *
+       * or
+       *
+       * ```rust
+       * impl<T: ?Sized> const Deref for &mut T
+       * ```
+       */
+      predicate isRefImpl() { this.resolveSelfTyBuiltin() instanceof Builtins::RefType }
+
+      /** Gets an internal unique ID used to identify this block amongst all `Deref` impl blocks. */
+      int getId() { idOfRaw(Synth::convertAstNodeToRaw(this), result) }
+    }
+
+    private class DerefImplItemRaw extends Raw::Impl {
+      DerefImplItemRaw() { this = Synth::convertAstNodeToRaw(any(DerefImplItemNode i)) }
+    }
+
+    private predicate id(DerefImplItemRaw x, DerefImplItemRaw y) { x = y }
+
+    private predicate idOfRaw(DerefImplItemRaw x, int y) = equivalenceRelation(id/2)(x, y)
+
+    private newtype TMethodCallDerefCand =
+      MkMethodCallDerefCand(MethodCall mc, string derefChain) {
+        mc.supportsAutoDerefAndBorrow() and
+        mc.hasNoCompatibleTargetMutBorrow(derefChain) and
+        exists(mc.getACandidateReceiverTypeAtNoBorrow(derefChain, _))
+      }
+
+    private class MethodCallDerefCand extends MkMethodCallDerefCand {
+      MethodCall mc_;
+      string derefChain;
+
+      MethodCallDerefCand() { this = MkMethodCallDerefCand(mc_, derefChain) }
+
+      MethodCall getMethodCall() { result = mc_ }
+
+      Type getTypeAt(TypePath path) {
+        result = substituteLookupTraits(mc_.getACandidateReceiverTypeAtNoBorrow(derefChain, path)) and
+        not result = TNeverType() and
+        not result = TUnknownType()
+      }
+
+      string toString() { result = mc_.toString() + " [" + derefChain + "]" }
+
+      Location getLocation() { result = mc_.getLocation() }
+    }
+
+    private module MethodCallSatisfiesConstraintInput implements
+      SatisfiesConstraintInputSig<MethodCallDerefCand>
+    {
+      pragma[nomagic]
+      predicate relevantConstraint(MethodCallDerefCand mc, Type constraint) {
+        exists(mc) and
+        constraint.(TraitType).getTrait() instanceof DerefTrait
+      }
+
+      predicate useUniversalConditions() { none() }
+    }
+
+    pragma[nomagic]
+    private AssociatedTypeTypeParameter getDerefTargetTypeParameter() {
+      result.getTypeAlias() = any(DerefTrait ft).getTargetType()
+    }
+
+    pragma[nomagic]
+    Type getDereferencedCandidateReceiverType(
+      MethodCall mc, DerefImplItemNode impl, string derefChain, TypePath path
+    ) {
+      exists(MethodCallDerefCand mcc, TypePath exprPath |
+        mcc = MkMethodCallDerefCand(mc, derefChain) and
+        SatisfiesConstraint<MethodCallDerefCand, MethodCallSatisfiesConstraintInput>::satisfiesConstraintType(mcc,
+          impl, _, exprPath, result) and
+        exprPath.isCons(getDerefTargetTypeParameter(), path)
+      )
+    }
+  }
+
   private module ReceiverSatisfiesBlanketLikeConstraintInput implements
     BlanketImplementation::SatisfiesBlanketConstraintInputSig<MethodCallCand>
   {
@@ -2444,9 +2528,12 @@ private Type inferMethodCallType1(AstNode n, boolean isReturn, TypePath path) {
     path = path0
     or
     // adjust for implicit deref
-    apos.isSelf() and
-    derefChainBorrow = ".ref;" and
-    path = TypePath::cons(getRefTypeParameter(), path0)
+    exists(MethodResolution::ImplicitDeref::DerefImplItemNode impl |
+      impl.isRefImpl() and
+      apos.isSelf() and
+      derefChainBorrow = "." + impl.getId() + ";" and
+      path = TypePath::cons(getRefTypeParameter(), path0)
+    )
     or
     // adjust for implicit borrow
     apos.isSelf() and
@@ -3292,9 +3379,6 @@ private Type inferTryExprType(TryExpr te, TypePath path) {
 pragma[nomagic]
 private StructType getStrStruct() { result = TStruct(any(Builtins::Str s)) }
 
-pragma[nomagic]
-private StructType getStringStruct() { result = TStruct(any(StringStruct s)) }
-
 pragma[nomagic]
 private Type inferLiteralType(LiteralExpr le, TypePath path, boolean certain) {
   path.isEmpty() and

rust/ql/test/library-tests/dataflow/sources/file/InlineFlow.expected

@@ -35,7 +35,8 @@ models
 | 34 | Summary: <_ as tokio::io::util::async_read_ext::AsyncReadExt>::read_to_string; Argument[self].Reference; Argument[0].Reference; taint |
 | 35 | Summary: <_ as tokio::io::util::async_read_ext::AsyncReadExt>::read_u8; Argument[self].Reference; ReturnValue.Future.Field[core::result::Result::Ok(0)]; taint |
 | 36 | Summary: <core::result::Result>::unwrap; Argument[self].Field[core::result::Result::Ok(0)]; ReturnValue; value |
-| 37 | Summary: <std::path::PathBuf>::as_path; Argument[self]; ReturnValue; value |
+| 37 | Summary: <std::path::Path>::canonicalize; Argument[self].Reference.OptionalBarrier[normalize-path]; ReturnValue.Field[core::result::Result::Ok(0)]; taint |
+| 38 | Summary: <std::path::PathBuf>::as_path; Argument[self]; ReturnValue; value |
 edges
 | test.rs:12:13:12:18 | buffer | test.rs:13:14:13:19 | buffer | provenance |  |
 | test.rs:12:31:12:43 | ...::read | test.rs:12:31:12:55 | ...::read(...) [Ok] | provenance | Src:MaD:11  |
@@ -51,12 +52,15 @@ edges
 | test.rs:22:22:22:52 | TryExpr | test.rs:22:13:22:18 | buffer | provenance |  |
 | test.rs:29:13:29:16 | path | test.rs:30:14:30:17 | path | provenance |  |
 | test.rs:29:13:29:16 | path | test.rs:31:14:31:17 | path | provenance |  |
+| test.rs:29:13:29:16 | path | test.rs:40:14:40:17 | path | provenance |  |
 | test.rs:29:13:29:16 | path | test.rs:41:14:41:17 | path | provenance |  |
 | test.rs:29:20:29:27 | e.path() | test.rs:29:13:29:16 | path | provenance |  |
 | test.rs:29:22:29:25 | path | test.rs:29:20:29:27 | e.path() | provenance | Src:MaD:4 MaD:4 |
 | test.rs:30:14:30:17 | path | test.rs:30:14:30:25 | path.clone() | provenance | MaD:18 |
 | test.rs:31:14:31:17 | path | test.rs:31:14:31:25 | path.clone() | provenance | MaD:18 |
-| test.rs:31:14:31:25 | path.clone() | test.rs:31:14:31:35 | ... .as_path() | provenance | MaD:37 |
+| test.rs:31:14:31:25 | path.clone() | test.rs:31:14:31:35 | ... .as_path() | provenance | MaD:38 |
+| test.rs:40:14:40:17 | path | test.rs:40:14:40:32 | path.canonicalize() [Ok] | provenance | MaD:37 |
+| test.rs:40:14:40:32 | path.canonicalize() [Ok] | test.rs:40:14:40:41 | ... .unwrap() | provenance | MaD:36 |
 | test.rs:43:13:43:21 | file_name | test.rs:44:14:44:22 | file_name | provenance |  |
 | test.rs:43:13:43:21 | file_name | test.rs:49:14:49:22 | file_name | provenance |  |
 | test.rs:43:25:43:37 | e.file_name() | test.rs:43:13:43:21 | file_name | provenance |  |
@@ -273,6 +277,9 @@ nodes
 | test.rs:31:14:31:17 | path | semmle.label | path |
 | test.rs:31:14:31:25 | path.clone() | semmle.label | path.clone() |
 | test.rs:31:14:31:35 | ... .as_path() | semmle.label | ... .as_path() |
+| test.rs:40:14:40:17 | path | semmle.label | path |
+| test.rs:40:14:40:32 | path.canonicalize() [Ok] | semmle.label | path.canonicalize() [Ok] |
+| test.rs:40:14:40:41 | ... .unwrap() | semmle.label | ... .unwrap() |
 | test.rs:41:14:41:17 | path | semmle.label | path |
 | test.rs:43:13:43:21 | file_name | semmle.label | file_name |
 | test.rs:43:25:43:37 | e.file_name() | semmle.label | e.file_name() |
@@ -492,6 +499,7 @@ testFailures
 | test.rs:23:14:23:19 | buffer | test.rs:22:22:22:39 | ...::read_to_string | test.rs:23:14:23:19 | buffer | $@ | test.rs:22:22:22:39 | ...::read_to_string | ...::read_to_string |
 | test.rs:30:14:30:25 | path.clone() | test.rs:29:22:29:25 | path | test.rs:30:14:30:25 | path.clone() | $@ | test.rs:29:22:29:25 | path | path |
 | test.rs:31:14:31:35 | ... .as_path() | test.rs:29:22:29:25 | path | test.rs:31:14:31:35 | ... .as_path() | $@ | test.rs:29:22:29:25 | path | path |
+| test.rs:40:14:40:41 | ... .unwrap() | test.rs:29:22:29:25 | path | test.rs:40:14:40:41 | ... .unwrap() | $@ | test.rs:29:22:29:25 | path | path |
 | test.rs:41:14:41:17 | path | test.rs:29:22:29:25 | path | test.rs:41:14:41:17 | path | $@ | test.rs:29:22:29:25 | path | path |
 | test.rs:44:14:44:30 | file_name.clone() | test.rs:43:27:43:35 | file_name | test.rs:44:14:44:30 | file_name.clone() | $@ | test.rs:43:27:43:35 | file_name | file_name |
 | test.rs:49:14:49:22 | file_name | test.rs:43:27:43:35 | file_name | test.rs:49:14:49:22 | file_name | $@ | test.rs:43:27:43:35 | file_name | file_name |

rust/ql/test/library-tests/dataflow/sources/file/TaintSources.expected

@@ -7,6 +7,9 @@
 | test.rs:51:52:51:59 | read_dir | Flow source 'FileSource' of type file (DEFAULT). |
 | test.rs:54:22:54:25 | path | Flow source 'FileSource' of type file (DEFAULT). |
 | test.rs:55:27:55:35 | file_name | Flow source 'FileSource' of type file (DEFAULT). |
+| test.rs:57:56:57:63 | read_dir | Flow source 'FileSource' of type file (DEFAULT). |
+| test.rs:60:22:60:25 | path | Flow source 'FileSource' of type file (DEFAULT). |
+| test.rs:61:27:61:35 | file_name | Flow source 'FileSource' of type file (DEFAULT). |
 | test.rs:65:22:65:34 | ...::read_link | Flow source 'FileSource' of type file (DEFAULT). |
 | test.rs:74:31:74:45 | ...::read | Flow source 'FileSource' of type file (DEFAULT). |
 | test.rs:79:31:79:45 | ...::read | Flow source 'FileSource' of type file (DEFAULT). |

rust/ql/test/library-tests/dataflow/sources/file/test.rs

@@ -37,7 +37,7 @@ fn test_fs() -> Result<(), Box<dyn std::error::Error>> {
         sink(path.to_path_buf()); // $ MISSING: hasTaintFlow
         sink(path.file_name().unwrap()); // $ MISSING: hasTaintFlow
         sink(path.extension().unwrap()); // $ MISSING: hasTaintFlow
-        sink(path.canonicalize().unwrap()); // $ MISSING: hasTaintFlow
+        sink(path.canonicalize().unwrap()); // $ hasTaintFlow
         sink(path); // $ hasTaintFlow
 
         let file_name = e.file_name(); // $ Alert[rust/summary/taint-sources]
@@ -54,11 +54,11 @@ fn test_fs() -> Result<(), Box<dyn std::error::Error>> {
         let path = e.path(); // $ Alert[rust/summary/taint-sources]
         let file_name = e.file_name(); // $ Alert[rust/summary/taint-sources]
     }
-    for entry in std::path::PathBuf::from("directory").read_dir()? {
+    for entry in std::path::PathBuf::from("directory").read_dir()? { // $ Alert[rust/summary/taint-sources]
         let e = entry?;
 
-        let path = e.path(); // $ MISSING: Alert[rust/summary/taint-sources]
-        let file_name = e.file_name(); // $ MISSING: Alert[rust/summary/taint-sources]
+        let path = e.path(); // $ Alert[rust/summary/taint-sources]
+        let file_name = e.file_name(); // $ Alert[rust/summary/taint-sources]
     }
 
     {