Rust: Handle writes to references and add encoding of reference content

paldepind · paldepind · commit 11055760a442 · 2025-02-07T13:53:17.000+01:00
diff --git a/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll b/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll
@@ -1211,6 +1211,17 @@ module RustDataFlow implements InputSig<Location> {
     )
   }
 
+  pragma[nomagic]
+  private predicate referenceAssignment(Node node1, Node node2, ReferenceContent c) {
+    exists(AssignmentExprCfgNode assignment, PrefixExprCfgNode deref |
+      assignment.getLhs() = deref and
+      deref.getOperatorName() = "*" and
+      node1.asExpr() = assignment.getRhs() and
+      node2.asExpr() = deref.getExpr() and
+      exists(c)
+    )
+  }
+
   pragma[nomagic]
   private predicate storeContentStep(Node node1, Content c, Node node2) {
     exists(CallExprCfgNode call, int pos |
@@ -1242,6 +1253,8 @@ module RustDataFlow implements InputSig<Location> {
     or
     fieldAssignment(node1, node2.(PostUpdateNode).getPreUpdateNode(), c)
     or
+    referenceAssignment(node1, node2.(PostUpdateNode).getPreUpdateNode(), c)
+    or
     exists(AssignmentExprCfgNode assignment, IndexExprCfgNode index |
       c instanceof ElementContent and
       assignment.getLhs() = index and
@@ -1285,6 +1298,8 @@ module RustDataFlow implements InputSig<Location> {
   predicate clearsContent(Node n, ContentSet cs) {
     fieldAssignment(_, n, cs.(SingletonContentSet).getContent())
     or
+    referenceAssignment(_, n, cs.(SingletonContentSet).getContent())
+    or
     FlowSummaryImpl::Private::Steps::summaryClearsContent(n.(Node::FlowSummaryNode).getSummaryNode(),
       cs)
     or
diff --git a/rust/ql/lib/codeql/rust/dataflow/internal/FlowSummaryImpl.qll b/rust/ql/lib/codeql/rust/dataflow/internal/FlowSummaryImpl.qll
@@ -89,6 +89,10 @@ module Input implements InputSig<Location, RustDataFlow> {
           arg = v.getExtendedCanonicalPath() + "(" + v.getPosition() + ")"
         )
       or
+      result = "Reference" and
+      c = TReferenceContent() and
+      arg = ""
+      or
       result = "Element" and
       c = TElementContent() and
       arg = ""
diff --git a/rust/ql/src/utils/modelgenerator/internal/CaptureModels.qll b/rust/ql/src/utils/modelgenerator/internal/CaptureModels.qll
@@ -81,9 +81,8 @@ module ModelGeneratorInput implements ModelGeneratorInputSig<Location, RustDataF
   }
 
   bindingset[c]
-  string paramReturnNodeAsOutput(R::Callable c, ParameterPosition pos) {
-    // TODO: Implement this to support returning through parameters.
-    result = "paramReturnNodeAsOutput(" + c + ", " + pos + ")"
+  string paramReturnNodeAsOutput(Callable c, ParameterPosition pos) {
+    result = paramReturnNodeAsContentOutput(c, pos)
   }
 
   bindingset[c]
diff --git a/rust/ql/test/library-tests/dataflow/global/inline-flow.expected b/rust/ql/test/library-tests/dataflow/global/inline-flow.expected
@@ -42,6 +42,13 @@ edges
 | main.rs:101:13:101:30 | mn.data_through(...) | main.rs:101:9:101:9 | b | provenance |  |
 | main.rs:101:29:101:29 | a | main.rs:77:28:77:33 | ...: i64 | provenance |  |
 | main.rs:101:29:101:29 | a | main.rs:101:13:101:30 | mn.data_through(...) | provenance |  |
+| main.rs:139:25:139:30 | ...: i64 | main.rs:140:10:140:10 | c | provenance |  |
+| main.rs:140:6:140:6 | [post] n [&ref] | main.rs:139:12:139:22 | ...: ... [Return] [&ref] | provenance |  |
+| main.rs:140:10:140:10 | c | main.rs:140:6:140:6 | [post] n [&ref] | provenance |  |
+| main.rs:148:13:148:13 | [post] m [&ref] | main.rs:149:11:149:11 | m [&ref] | provenance |  |
+| main.rs:148:16:148:25 | source(...) | main.rs:139:25:139:30 | ...: i64 | provenance |  |
+| main.rs:148:16:148:25 | source(...) | main.rs:148:13:148:13 | [post] m [&ref] | provenance |  |
+| main.rs:149:11:149:11 | m [&ref] | main.rs:149:10:149:11 | * ... | provenance |  |
 nodes
 | main.rs:12:28:14:1 | { ... } | semmle.label | { ... } |
 | main.rs:13:5:13:13 | source(...) | semmle.label | source(...) |
@@ -92,11 +99,20 @@ nodes
 | main.rs:101:13:101:30 | mn.data_through(...) | semmle.label | mn.data_through(...) |
 | main.rs:101:29:101:29 | a | semmle.label | a |
 | main.rs:102:10:102:10 | b | semmle.label | b |
+| main.rs:139:12:139:22 | ...: ... [Return] [&ref] | semmle.label | ...: ... [Return] [&ref] |
+| main.rs:139:25:139:30 | ...: i64 | semmle.label | ...: i64 |
+| main.rs:140:6:140:6 | [post] n [&ref] | semmle.label | [post] n [&ref] |
+| main.rs:140:10:140:10 | c | semmle.label | c |
+| main.rs:148:13:148:13 | [post] m [&ref] | semmle.label | [post] m [&ref] |
+| main.rs:148:16:148:25 | source(...) | semmle.label | source(...) |
+| main.rs:149:10:149:11 | * ... | semmle.label | * ... |
+| main.rs:149:11:149:11 | m [&ref] | semmle.label | m [&ref] |
 subpaths
 | main.rs:36:26:36:26 | a | main.rs:30:17:30:22 | ...: i64 | main.rs:30:32:32:1 | { ... } | main.rs:36:13:36:27 | pass_through(...) |
 | main.rs:41:26:44:5 | { ... } | main.rs:30:17:30:22 | ...: i64 | main.rs:30:32:32:1 | { ... } | main.rs:41:13:44:6 | pass_through(...) |
 | main.rs:55:26:55:26 | a | main.rs:51:21:51:26 | ...: i64 | main.rs:51:36:53:5 | { ... } | main.rs:55:13:55:27 | pass_through(...) |
 | main.rs:101:29:101:29 | a | main.rs:77:28:77:33 | ...: i64 | main.rs:77:43:83:5 | { ... } | main.rs:101:13:101:30 | mn.data_through(...) |
+| main.rs:148:16:148:25 | source(...) | main.rs:139:25:139:30 | ...: i64 | main.rs:139:12:139:22 | ...: ... [Return] [&ref] | main.rs:148:13:148:13 | [post] m [&ref] |
 testFailures
 #select
 | main.rs:18:10:18:10 | a | main.rs:13:5:13:13 | source(...) | main.rs:18:10:18:10 | a | $@ | main.rs:13:5:13:13 | source(...) | source(...) |
@@ -107,3 +123,4 @@ testFailures
 | main.rs:68:14:68:14 | n | main.rs:94:13:94:21 | source(...) | main.rs:68:14:68:14 | n | $@ | main.rs:94:13:94:21 | source(...) | source(...) |
 | main.rs:89:10:89:10 | a | main.rs:74:13:74:21 | source(...) | main.rs:89:10:89:10 | a | $@ | main.rs:74:13:74:21 | source(...) | source(...) |
 | main.rs:102:10:102:10 | b | main.rs:100:13:100:21 | source(...) | main.rs:102:10:102:10 | b | $@ | main.rs:100:13:100:21 | source(...) | source(...) |
+| main.rs:149:10:149:11 | * ... | main.rs:148:16:148:25 | source(...) | main.rs:149:10:149:11 | * ... | $@ | main.rs:148:16:148:25 | source(...) | source(...) |
diff --git a/rust/ql/test/library-tests/dataflow/global/main.rs b/rust/ql/test/library-tests/dataflow/global/main.rs
@@ -146,7 +146,7 @@ fn mutates_argument_1() {
     let m = &mut n;
     sink(*m);
     set_int(m, source(37));
-    sink(*m); // $ MISSING: hasValueFlow=37
+    sink(*m); // $ hasValueFlow=37
 }
 
 fn mutates_argument_2() {
diff --git a/rust/ql/test/library-tests/dataflow/pointers/inline-flow.expected b/rust/ql/test/library-tests/dataflow/pointers/inline-flow.expected
@@ -8,6 +8,9 @@ edges
 | main.rs:15:9:15:9 | c | main.rs:16:10:16:10 | c | provenance |  |
 | main.rs:15:13:15:14 | * ... | main.rs:15:9:15:9 | c | provenance |  |
 | main.rs:15:14:15:14 | b [&ref] | main.rs:15:13:15:14 | * ... | provenance |  |
+| main.rs:31:6:31:6 | [post] b [&ref] | main.rs:32:11:32:11 | b [&ref] | provenance |  |
+| main.rs:31:10:31:19 | source(...) | main.rs:31:6:31:6 | [post] b [&ref] | provenance |  |
+| main.rs:32:11:32:11 | b [&ref] | main.rs:32:10:32:11 | * ... | provenance |  |
 | main.rs:37:25:37:26 | &... [&ref] | main.rs:37:26:37:26 | n | provenance |  |
 | main.rs:37:25:37:32 | ...: ... [&ref] | main.rs:37:25:37:26 | &... [&ref] | provenance |  |
 | main.rs:37:26:37:26 | n | main.rs:38:10:38:10 | n | provenance |  |
@@ -54,6 +57,10 @@ nodes
 | main.rs:15:13:15:14 | * ... | semmle.label | * ... |
 | main.rs:15:14:15:14 | b [&ref] | semmle.label | b [&ref] |
 | main.rs:16:10:16:10 | c | semmle.label | c |
+| main.rs:31:6:31:6 | [post] b [&ref] | semmle.label | [post] b [&ref] |
+| main.rs:31:10:31:19 | source(...) | semmle.label | source(...) |
+| main.rs:32:10:32:11 | * ... | semmle.label | * ... |
+| main.rs:32:11:32:11 | b [&ref] | semmle.label | b [&ref] |
 | main.rs:37:25:37:26 | &... [&ref] | semmle.label | &... [&ref] |
 | main.rs:37:25:37:32 | ...: ... [&ref] | semmle.label | ...: ... [&ref] |
 | main.rs:37:26:37:26 | n | semmle.label | n |
@@ -100,6 +107,7 @@ subpaths
 testFailures
 #select
 | main.rs:16:10:16:10 | c | main.rs:13:13:13:22 | source(...) | main.rs:16:10:16:10 | c | $@ | main.rs:13:13:13:22 | source(...) | source(...) |
+| main.rs:32:10:32:11 | * ... | main.rs:31:10:31:19 | source(...) | main.rs:32:10:32:11 | * ... | $@ | main.rs:31:10:31:19 | source(...) | source(...) |
 | main.rs:38:10:38:10 | n | main.rs:42:15:42:24 | source(...) | main.rs:38:10:38:10 | n | $@ | main.rs:42:15:42:24 | source(...) | source(...) |
 | main.rs:70:10:70:30 | my_number.to_number(...) | main.rs:69:40:69:49 | source(...) | main.rs:70:10:70:30 | my_number.to_number(...) | $@ | main.rs:69:40:69:49 | source(...) | source(...) |
 | main.rs:80:10:80:31 | my_number.get_number(...) | main.rs:79:41:79:50 | source(...) | main.rs:80:10:80:31 | my_number.get_number(...) | $@ | main.rs:79:41:79:50 | source(...) | source(...) |
diff --git a/rust/ql/test/library-tests/dataflow/pointers/main.rs b/rust/ql/test/library-tests/dataflow/pointers/main.rs
@@ -29,7 +29,7 @@ fn write_and_read_through_borrow() {
     let b = &mut a;
     sink(*b);
     *b = source(37);
-    sink(*b); // $ MISSING: hasValueFlow=37
+    sink(*b); // $ hasValueFlow=37
     *b = 0;
     sink(*b); // now cleared
 }
diff --git a/rust/ql/test/utils-tests/modelgenerator/option.rs b/rust/ql/test/utils-tests/modelgenerator/option.rs
@@ -44,15 +44,17 @@ impl<T> MyOption<T> {
         }
     }
 
-    // summary=repo::test;<crate::option::MyOption>::as_ref;Argument[self].Variant[crate::option::MyOption::MySome(0)];ReturnValue.Variant[crate::option::MyOption::MySome(0)];value;dfc-generated
+    // NOTE: The returned value inside the variant should be inside a `Reference`, requires handling
+    // `ref` in patterns.
+    // summary=repo::test;<crate::option::MyOption>::as_ref;Argument[self].Reference.Variant[crate::option::MyOption::MySome(0)];ReturnValue.Variant[crate::option::MyOption::MySome(0)];value;dfc-generated
     pub fn as_ref(&self) -> MyOption<&T> {
         match *self {
             MySome(ref x) => MySome(x),
             MyNone => MyNone,
         }
     }
 
-    // summary=repo::test;<crate::option::MyOption>::as_mut;Argument[self].Variant[crate::option::MyOption::MySome(0)];ReturnValue.Variant[crate::option::MyOption::MySome(0)];value;dfc-generated
+    // summary=repo::test;<crate::option::MyOption>::as_mut;Argument[self].Reference.Variant[crate::option::MyOption::MySome(0)];ReturnValue.Variant[crate::option::MyOption::MySome(0)];value;dfc-generated
     pub fn as_mut(&mut self) -> MyOption<&mut T> {
         match *self {
             MySome(ref mut x) => MySome(x),
@@ -285,30 +287,34 @@ impl<T> MyOption<T> {
         }
     }
 
-    // MISSING: summary=repo::test;<crate::option::MyOption>::insert;Argument[0];ReturnValue;value;dfc-generated
-    // SPURIOUS-summary=repo::test;<crate::option::MyOption>::insert;Argument[self].Variant[crate::option::MyOption::MySome(0)];ReturnValue;value;dfc-generated
+    // summary=repo::test;<crate::option::MyOption>::insert;Argument[0];Argument[self].Reference.Variant[crate::option::MyOption::MySome(0)];value;dfc-generated
+    // The below should be `ReturnValue.Reference` and not just `ReturnValue`.
+    // SPURIOUS-summary=repo::test;<crate::option::MyOption>::insert;Argument[0];ReturnValue;value;dfc-generated
+    // The content of `self` is overwritten so it does not flow to the return value.
+    // SPURIOUS-summary=repo::test;<crate::option::MyOption>::insert;Argument[self].Reference.Variant[crate::option::MyOption::MySome(0)];ReturnValue;value;dfc-generated
     pub fn insert(&mut self, value: T) -> &mut T {
         *self = MySome(value);
 
         // SAFETY: the code above just filled the MyOption
         unsafe { self.as_mut().unwrap_unchecked() }
     }
 
-    // summary=repo::test;<crate::option::MyOption>::get_or_insert;Argument[self].Variant[crate::option::MyOption::MySome(0)];ReturnValue;value;dfc-generated
-    // MISSING: repo::test;<crate::option::MyOption>::get_or_insert;Argument[0];ReturnValue;value;dfc-generated
+    // summary=repo::test;<crate::option::MyOption>::get_or_insert;Argument[0];Argument[self].Reference.Variant[crate::option::MyOption::MySome(0)];value;dfc-generated
+    // summary=repo::test;<crate::option::MyOption>::get_or_insert;Argument[0];ReturnValue;value;dfc-generated
+    // summary=repo::test;<crate::option::MyOption>::get_or_insert;Argument[self].Reference.Variant[crate::option::MyOption::MySome(0)];ReturnValue;value;dfc-generated
     pub fn get_or_insert(&mut self, value: T) -> &mut T {
         self.get_or_insert_with(|| value)
     }
 
-    // summary=repo::test;<crate::option::MyOption>::get_or_insert_default;Argument[self].Variant[crate::option::MyOption::MySome(0)];ReturnValue;value;dfc-generated
+    // summary=repo::test;<crate::option::MyOption>::get_or_insert_default;Argument[self].Reference.Variant[crate::option::MyOption::MySome(0)];ReturnValue;value;dfc-generated
     pub fn get_or_insert_default(&mut self) -> &mut T
     where
         T: Default,
     {
         self.get_or_insert_with(T::default)
     }
 
-    // summary=repo::test;<crate::option::MyOption>::get_or_insert_with;Argument[self].Variant[crate::option::MyOption::MySome(0)];ReturnValue;value;dfc-generated
+    // summary=repo::test;<crate::option::MyOption>::get_or_insert_with;Argument[self].Reference.Variant[crate::option::MyOption::MySome(0)];ReturnValue;value;dfc-generated
     // MISSING: Mutating `self` parameter.
     pub fn get_or_insert_with<F>(&mut self, f: F) -> &mut T
     where
@@ -329,7 +335,7 @@ impl<T> MyOption<T> {
         mem::replace(self, MyNone)
     }
 
-    // summary=repo::test;<crate::option::MyOption>::take_if;Argument[self].Variant[crate::option::MyOption::MySome(0)];Argument[0].Parameter[0];value;dfc-generated
+    // summary=repo::test;<crate::option::MyOption>::take_if;Argument[self].Reference.Variant[crate::option::MyOption::MySome(0)];Argument[0].Parameter[0];value;dfc-generated
     // MISSING: Uses `take` which doesn't have flow
     pub fn take_if<P>(&mut self, predicate: P) -> MyOption<T>
     where
@@ -378,7 +384,7 @@ impl<T, U> MyOption<(T, U)> {
 }
 
 impl<T> MyOption<&T> {
-    // summary=repo::test;<crate::option::MyOption>::copied;Argument[self].Variant[crate::option::MyOption::MySome(0)];ReturnValue.Variant[crate::option::MyOption::MySome(0)];value;dfc-generated
+    // summary=repo::test;<crate::option::MyOption>::copied;Argument[self].Variant[crate::option::MyOption::MySome(0)].Reference;ReturnValue.Variant[crate::option::MyOption::MySome(0)];value;dfc-generated
     pub fn copied(self) -> MyOption<T>
     where
         T: Copy,
@@ -404,7 +410,7 @@ impl<T> MyOption<&T> {
 }
 
 impl<T> MyOption<&mut T> {
-    // summary=repo::test;<crate::option::MyOption>::copied;Argument[self].Variant[crate::option::MyOption::MySome(0)];ReturnValue.Variant[crate::option::MyOption::MySome(0)];value;dfc-generated
+    // summary=repo::test;<crate::option::MyOption>::copied;Argument[self].Variant[crate::option::MyOption::MySome(0)].Reference;ReturnValue.Variant[crate::option::MyOption::MySome(0)];value;dfc-generated
     pub fn copied(self) -> MyOption<T>
     where
         T: Copy,
@@ -474,14 +480,14 @@ impl<T> From<T> for MyOption<T> {
 }
 
 impl<'a, T> From<&'a MyOption<T>> for MyOption<&'a T> {
-    // summary=repo::test;<crate::option::MyOption as crate::convert::From>::from;Argument[0].Variant[crate::option::MyOption::MySome(0)];ReturnValue.Variant[crate::option::MyOption::MySome(0)];value;dfc-generated
+    // summary=repo::test;<crate::option::MyOption as crate::convert::From>::from;Argument[0].Reference.Variant[crate::option::MyOption::MySome(0)];ReturnValue.Variant[crate::option::MyOption::MySome(0)];value;dfc-generated
     fn from(o: &'a MyOption<T>) -> MyOption<&'a T> {
         o.as_ref()
     }
 }
 
 impl<'a, T> From<&'a mut MyOption<T>> for MyOption<&'a mut T> {
-    // summary=repo::test;<crate::option::MyOption as crate::convert::From>::from;Argument[0].Variant[crate::option::MyOption::MySome(0)];ReturnValue.Variant[crate::option::MyOption::MySome(0)];value;dfc-generated
+    // summary=repo::test;<crate::option::MyOption as crate::convert::From>::from;Argument[0].Reference.Variant[crate::option::MyOption::MySome(0)];ReturnValue.Variant[crate::option::MyOption::MySome(0)];value;dfc-generated
     fn from(o: &'a mut MyOption<T>) -> MyOption<&'a mut T> {
         o.as_mut()
     }
diff --git a/rust/ql/test/utils-tests/modelgenerator/summaries.rs b/rust/ql/test/utils-tests/modelgenerator/summaries.rs
@@ -79,11 +79,12 @@ pub fn apply<F>(n: i64, f: F) -> i64 where F : FnOnce(i64) -> i64 {
 
 // Flow out of mutated arguments
 
+// summary=repo::test;crate::summaries::set_int;Argument[1];Argument[0].Reference;value;dfc-generated
 pub fn set_int(n: &mut i64, c: i64) {
     *n = c;
 }
 
-// summary=repo::test;crate::summaries::read_int;Argument[0];ReturnValue;value;dfc-generated
+// summary=repo::test;crate::summaries::read_int;Argument[0].Reference;ReturnValue;value;dfc-generated
 pub fn read_int(n: &mut i64) -> i64 {
     *n
 }

Original file line number	Diff line number	Diff line change
`@@ -81,9 +81,8 @@ module ModelGeneratorInput implements ModelGeneratorInputSig<Location, RustDataF`
`81`	`81`	`}`
`82`	`82`
`83`	`83`	`bindingset[c]`
`84`		`- string paramReturnNodeAsOutput(R::Callable c, ParameterPosition pos) {`
`85`		`- // TODO: Implement this to support returning through parameters.`
`86`		`- result = "paramReturnNodeAsOutput(" + c + ", " + pos + ")"`
	`84`	`+ string paramReturnNodeAsOutput(Callable c, ParameterPosition pos) {`
	`85`	`+ result = paramReturnNodeAsContentOutput(c, pos)`
`87`	`86`	`}`
`88`	`87`
`89`	`88`	`bindingset[c]`
Original file line number	Diff line number	Diff line change
`@@ -146,7 +146,7 @@ fn mutates_argument_1() {`
`146`	`146`	`let m = &mut n;`
`147`	`147`	`sink(*m);`
`148`	`148`	`set_int(m, source(37));`
`149`		`- sink(*m); // $ MISSING: hasValueFlow=37`
	`149`	`+ sink(*m); // $ hasValueFlow=37`
`150`	`150`	`}`
`151`	`151`
`152`	`152`	`fn mutates_argument_2() {`
Original file line number	Diff line number	Diff line change
`@@ -29,7 +29,7 @@ fn write_and_read_through_borrow() {`
`29`	`29`	`let b = &mut a;`
`30`	`30`	`sink(*b);`
`31`	`31`	`*b = source(37);`
`32`		`- sink(*b); // $ MISSING: hasValueFlow=37`
	`32`	`+ sink(*b); // $ hasValueFlow=37`
`33`	`33`	`*b = 0;`
`34`	`34`	`sink(*b); // now cleared`
`35`	`35`	`}`
Original file line number	Diff line number	Diff line change
`@@ -44,15 +44,17 @@ impl<T> MyOption<T> {`
`44`	`44`	`}`
`45`	`45`	`}`
`46`	`46`
`47`		`- // summary=repo::test;<crate::option::MyOption>::as_ref;Argument[self].Variant[crate::option::MyOption::MySome(0)];ReturnValue.Variant[crate::option::MyOption::MySome(0)];value;dfc-generated`
	`47`	+ // NOTE: The returned value inside the variant should be inside a `Reference`, requires handling
	`48`	+ // `ref` in patterns.
	`49`	`+ // summary=repo::test;<crate::option::MyOption>::as_ref;Argument[self].Reference.Variant[crate::option::MyOption::MySome(0)];ReturnValue.Variant[crate::option::MyOption::MySome(0)];value;dfc-generated`
`48`	`50`	`pub fn as_ref(&self) -> MyOption<&T> {`
`49`	`51`	`match *self {`
`50`	`52`	`MySome(ref x) => MySome(x),`
`51`	`53`	`MyNone => MyNone,`
`52`	`54`	`}`
`53`	`55`	`}`
`54`	`56`
`55`		`- // summary=repo::test;<crate::option::MyOption>::as_mut;Argument[self].Variant[crate::option::MyOption::MySome(0)];ReturnValue.Variant[crate::option::MyOption::MySome(0)];value;dfc-generated`
	`57`	`+ // summary=repo::test;<crate::option::MyOption>::as_mut;Argument[self].Reference.Variant[crate::option::MyOption::MySome(0)];ReturnValue.Variant[crate::option::MyOption::MySome(0)];value;dfc-generated`
`56`	`58`	`pub fn as_mut(&mut self) -> MyOption<&mut T> {`
`57`	`59`	`match *self {`
`58`	`60`	`MySome(ref mut x) => MySome(x),`
`@@ -285,30 +287,34 @@ impl<T> MyOption<T> {`
`285`	`287`	`}`
`286`	`288`	`}`
`287`	`289`
`288`		`- // MISSING: summary=repo::test;<crate::option::MyOption>::insert;Argument[0];ReturnValue;value;dfc-generated`
`289`		`- // SPURIOUS-summary=repo::test;<crate::option::MyOption>::insert;Argument[self].Variant[crate::option::MyOption::MySome(0)];ReturnValue;value;dfc-generated`
	`290`	`+ // summary=repo::test;<crate::option::MyOption>::insert;Argument[0];Argument[self].Reference.Variant[crate::option::MyOption::MySome(0)];value;dfc-generated`
	`291`	+ // The below should be `ReturnValue.Reference` and not just `ReturnValue`.
	`292`	`+ // SPURIOUS-summary=repo::test;<crate::option::MyOption>::insert;Argument[0];ReturnValue;value;dfc-generated`
	`293`	+ // The content of `self` is overwritten so it does not flow to the return value.
	`294`	`+ // SPURIOUS-summary=repo::test;<crate::option::MyOption>::insert;Argument[self].Reference.Variant[crate::option::MyOption::MySome(0)];ReturnValue;value;dfc-generated`
`290`	`295`	`pub fn insert(&mut self, value: T) -> &mut T {`
`291`	`296`	`*self = MySome(value);`
`292`	`297`
`293`	`298`	`// SAFETY: the code above just filled the MyOption`
`294`	`299`	`unsafe { self.as_mut().unwrap_unchecked() }`
`295`	`300`	`}`
`296`	`301`
`297`		`- // summary=repo::test;<crate::option::MyOption>::get_or_insert;Argument[self].Variant[crate::option::MyOption::MySome(0)];ReturnValue;value;dfc-generated`
`298`		`- // MISSING: repo::test;<crate::option::MyOption>::get_or_insert;Argument[0];ReturnValue;value;dfc-generated`
	`302`	`+ // summary=repo::test;<crate::option::MyOption>::get_or_insert;Argument[0];Argument[self].Reference.Variant[crate::option::MyOption::MySome(0)];value;dfc-generated`
	`303`	`+ // summary=repo::test;<crate::option::MyOption>::get_or_insert;Argument[0];ReturnValue;value;dfc-generated`
	`304`	`+ // summary=repo::test;<crate::option::MyOption>::get_or_insert;Argument[self].Reference.Variant[crate::option::MyOption::MySome(0)];ReturnValue;value;dfc-generated`
`299`	`305`	`pub fn get_or_insert(&mut self, value: T) -> &mut T {`
`300`	`306`	`self.get_or_insert_with(\|\| value)`
`301`	`307`	`}`
`302`	`308`
`303`		`- // summary=repo::test;<crate::option::MyOption>::get_or_insert_default;Argument[self].Variant[crate::option::MyOption::MySome(0)];ReturnValue;value;dfc-generated`
	`309`	`+ // summary=repo::test;<crate::option::MyOption>::get_or_insert_default;Argument[self].Reference.Variant[crate::option::MyOption::MySome(0)];ReturnValue;value;dfc-generated`
`304`	`310`	`pub fn get_or_insert_default(&mut self) -> &mut T`
`305`	`311`	`where`
`306`	`312`	`T: Default,`
`307`	`313`	`{`
`308`	`314`	`self.get_or_insert_with(T::default)`
`309`	`315`	`}`
`310`	`316`
`311`		`- // summary=repo::test;<crate::option::MyOption>::get_or_insert_with;Argument[self].Variant[crate::option::MyOption::MySome(0)];ReturnValue;value;dfc-generated`
	`317`	`+ // summary=repo::test;<crate::option::MyOption>::get_or_insert_with;Argument[self].Reference.Variant[crate::option::MyOption::MySome(0)];ReturnValue;value;dfc-generated`
`312`	`318`	// MISSING: Mutating `self` parameter.
`313`	`319`	`pub fn get_or_insert_with<F>(&mut self, f: F) -> &mut T`
`314`	`320`	`where`
`@@ -329,7 +335,7 @@ impl<T> MyOption<T> {`
`329`	`335`	`mem::replace(self, MyNone)`
`330`	`336`	`}`
`331`	`337`
`332`		`- // summary=repo::test;<crate::option::MyOption>::take_if;Argument[self].Variant[crate::option::MyOption::MySome(0)];Argument[0].Parameter[0];value;dfc-generated`
	`338`	`+ // summary=repo::test;<crate::option::MyOption>::take_if;Argument[self].Reference.Variant[crate::option::MyOption::MySome(0)];Argument[0].Parameter[0];value;dfc-generated`
`333`	`339`	// MISSING: Uses `take` which doesn't have flow
`334`	`340`	`pub fn take_if<P>(&mut self, predicate: P) -> MyOption<T>`
`335`	`341`	`where`
`@@ -378,7 +384,7 @@ impl<T, U> MyOption<(T, U)> {`
`378`	`384`	`}`
`379`	`385`
`380`	`386`	`impl<T> MyOption<&T> {`
`381`		`- // summary=repo::test;<crate::option::MyOption>::copied;Argument[self].Variant[crate::option::MyOption::MySome(0)];ReturnValue.Variant[crate::option::MyOption::MySome(0)];value;dfc-generated`
	`387`	`+ // summary=repo::test;<crate::option::MyOption>::copied;Argument[self].Variant[crate::option::MyOption::MySome(0)].Reference;ReturnValue.Variant[crate::option::MyOption::MySome(0)];value;dfc-generated`
`382`	`388`	`pub fn copied(self) -> MyOption<T>`
`383`	`389`	`where`
`384`	`390`	`T: Copy,`
`@@ -404,7 +410,7 @@ impl<T> MyOption<&T> {`
`404`	`410`	`}`
`405`	`411`
`406`	`412`	`impl<T> MyOption<&mut T> {`
`407`		`- // summary=repo::test;<crate::option::MyOption>::copied;Argument[self].Variant[crate::option::MyOption::MySome(0)];ReturnValue.Variant[crate::option::MyOption::MySome(0)];value;dfc-generated`
	`413`	`+ // summary=repo::test;<crate::option::MyOption>::copied;Argument[self].Variant[crate::option::MyOption::MySome(0)].Reference;ReturnValue.Variant[crate::option::MyOption::MySome(0)];value;dfc-generated`
`408`	`414`	`pub fn copied(self) -> MyOption<T>`
`409`	`415`	`where`
`410`	`416`	`T: Copy,`
`@@ -474,14 +480,14 @@ impl<T> From<T> for MyOption<T> {`
`474`	`480`	`}`
`475`	`481`
`476`	`482`	`impl<'a, T> From<&'a MyOption<T>> for MyOption<&'a T> {`
`477`		`- // summary=repo::test;<crate::option::MyOption as crate::convert::From>::from;Argument[0].Variant[crate::option::MyOption::MySome(0)];ReturnValue.Variant[crate::option::MyOption::MySome(0)];value;dfc-generated`
	`483`	`+ // summary=repo::test;<crate::option::MyOption as crate::convert::From>::from;Argument[0].Reference.Variant[crate::option::MyOption::MySome(0)];ReturnValue.Variant[crate::option::MyOption::MySome(0)];value;dfc-generated`
`478`	`484`	`fn from(o: &'a MyOption<T>) -> MyOption<&'a T> {`
`479`	`485`	`o.as_ref()`
`480`	`486`	`}`
`481`	`487`	`}`
`482`	`488`
`483`	`489`	`impl<'a, T> From<&'a mut MyOption<T>> for MyOption<&'a mut T> {`
`484`		`- // summary=repo::test;<crate::option::MyOption as crate::convert::From>::from;Argument[0].Variant[crate::option::MyOption::MySome(0)];ReturnValue.Variant[crate::option::MyOption::MySome(0)];value;dfc-generated`
	`490`	`+ // summary=repo::test;<crate::option::MyOption as crate::convert::From>::from;Argument[0].Reference.Variant[crate::option::MyOption::MySome(0)];ReturnValue.Variant[crate::option::MyOption::MySome(0)];value;dfc-generated`
`485`	`491`	`fn from(o: &'a mut MyOption<T>) -> MyOption<&'a mut T> {`
`486`	`492`	`o.as_mut()`
`487`	`493`	`}`
Original file line number	Diff line number	Diff line change
`@@ -79,11 +79,12 @@ pub fn apply<F>(n: i64, f: F) -> i64 where F : FnOnce(i64) -> i64 {`
`79`	`79`
`80`	`80`	`// Flow out of mutated arguments`
`81`	`81`
	`82`	`+// summary=repo::test;crate::summaries::set_int;Argument[1];Argument[0].Reference;value;dfc-generated`
`82`	`83`	`pub fn set_int(n: &mut i64, c: i64) {`
`83`	`84`	`*n = c;`
`84`	`85`	`}`
`85`	`86`
`86`		`-// summary=repo::test;crate::summaries::read_int;Argument[0];ReturnValue;value;dfc-generated`
	`87`	`+// summary=repo::test;crate::summaries::read_int;Argument[0].Reference;ReturnValue;value;dfc-generated`
`87`	`88`	`pub fn read_int(n: &mut i64) -> i64 {`
`88`	`89`	`*n`
`89`	`90`	`}`