data flow wip

Author: hvitved

rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll

@@ -582,6 +582,7 @@ module RustDataFlow implements InputSig<Location> {
           .isVariantField([any(OptionEnum o).getSome(), any(ResultEnum r).getOk()], 0)
     )
     or
+    // todo: rely on flow summary instead
     exists(PrefixExprCfgNode deref |
       c instanceof ReferenceContent and
       deref.getOperatorName() = "*" and

rust/ql/lib/codeql/rust/dataflow/internal/Node.qll

@@ -467,7 +467,7 @@ newtype TNode =
         any(TryExprCfgNode try).getExpr(), //
         any(PrefixExprCfgNode pe | pe.getOperatorName() = "*").getExpr(), //
         any(AwaitExprCfgNode a).getExpr(), //
-        any(MethodCallExprCfgNode mc).getReceiver(), //
+        any(CallCfgNode call | call.getCall().receiverImplicitlyBorrowed()).getReceiver(), //
         getPostUpdateReverseStep(any(PostUpdateNode n).getPreUpdateNode().asExpr(), _)
       ]
   } or

rust/ql/lib/codeql/rust/internal/TypeInference.qll

@@ -3482,7 +3482,15 @@ private module Cached {
   /** Holds if `receiver` is the receiver of a method call with an implicit dereference. */
   cached
   predicate receiverHasImplicitDeref(AstNode receiver) {
-    none() // todo
+    exists(MethodCall mc |
+      exists(resolveMethodCallTarget(MkMethodCallDerefChainRef(mc, ".ref;"))) and
+      receiver = mc.getArgument(CallImpl::TSelfArgumentPosition())
+    )
+    or
+    exists(Op op |
+      op.(Call).implicitBorrowAt(CallImpl::TSelfArgumentPosition(), true) and
+      receiver = op.getOperand(0)
+    )
     // exists(MethodCallExprMatchingInput::Access a, MethodCallExprMatchingInput::AccessPosition apos |
     //   apos.getArgumentPosition().isSelf() and
     //   apos.isBorrowed(_) and
@@ -3495,7 +3503,10 @@ private module Cached {
   /** Holds if `receiver` is the receiver of a method call with an implicit borrow. */
   cached
   predicate receiverHasImplicitBorrow(AstNode receiver) {
-    none() // todo
+    exists(MethodCall mc |
+      exists(resolveMethodCallTarget(MkMethodCallDerefChainRef(mc, ";ref"))) and
+      receiver = mc.getArgument(CallImpl::TSelfArgumentPosition())
+    )
     // exists(MethodCallExprMatchingInput::Access a, MethodCallExprMatchingInput::AccessPosition apos |
     //   apos.getArgumentPosition().isSelf() and
     //   apos.isBorrowed(_) and

rust/ql/test/library-tests/dataflow/global/inline-flow.expected

@@ -400,6 +400,7 @@ subpaths
 | main.rs:301:50:301:50 | a [MyInt] | main.rs:289:18:289:21 | SelfParam [MyInt] | main.rs:289:48:291:5 | { ... } [MyInt] | main.rs:301:30:301:54 | ...::take_self(...) [MyInt] |
 | main.rs:306:55:306:55 | b [MyInt] | main.rs:293:26:293:37 | ...: MyInt [MyInt] | main.rs:293:49:295:5 | { ... } [MyInt] | main.rs:306:30:306:56 | ...::take_second(...) [MyInt] |
 testFailures
+| main.rs:277:14:277:58 | //... | Missing result: hasTaintFlow=28 |
 #select
 | main.rs:18:10:18:10 | a | main.rs:13:5:13:13 | source(...) | main.rs:18:10:18:10 | a | $@ | main.rs:13:5:13:13 | source(...) | source(...) |
 | main.rs:39:10:39:21 | a.get_data() | main.rs:38:23:38:31 | source(...) | main.rs:39:10:39:21 | a.get_data() | $@ | main.rs:38:23:38:31 | source(...) | source(...) |

rust/ql/test/library-tests/dataflow/global/viableCallable.expected

@@ -59,8 +59,6 @@
 | main.rs:212:13:212:34 | ...::new(...) | main.rs:205:5:208:5 | fn new |
 | main.rs:212:24:212:33 | source(...) | main.rs:1:1:3:1 | fn source |
 | main.rs:214:5:214:11 | sink(...) | main.rs:5:1:7:1 | fn sink |
-| main.rs:228:10:228:14 | * ... | main.rs:235:5:237:5 | fn deref |
-| main.rs:236:11:236:15 | * ... | main.rs:235:5:237:5 | fn deref |
 | main.rs:242:28:242:36 | source(...) | main.rs:1:1:3:1 | fn source |
 | main.rs:244:13:244:17 | ... + ... | main.rs:220:5:223:5 | fn add |
 | main.rs:245:5:245:17 | sink(...) | main.rs:5:1:7:1 | fn sink |