Rust: Have the alert message cite the variable, so it's easier to understand whether the alert is correct.

Author: geoffw0

rust/ql/lib/codeql/rust/security/AccessAfterLifetimeExtensions.qll

@@ -22,7 +22,7 @@ module AccessAfterLifetime {
     /**
      * Gets the value this pointer or reference points to.
      */
-    abstract Expr getTargetValue();
+    abstract Expr getTarget();
   }
 
   /**
@@ -38,14 +38,14 @@ module AccessAfterLifetime {
   abstract class Barrier extends DataFlow::Node { }
 
   /**
-   * Holds if the pair `(source, sink)` that represents a flow from a
-   * pointer or reference to a dereference of that pointer or reference,
-   * and the dereference is outside the lifetime of the target value.
+   * Holds if the pair `(source, sink)`, that represents a flow from a
+   * pointer or reference to a dereference, has its dereference outside the
+   * lifetime of the target variable `target`.
    */
   bindingset[source, sink]
-  predicate dereferenceAfterLifetime(Source source, Sink sink) {
+  predicate dereferenceAfterLifetime(Source source, Sink sink, Variable target) {
     exists(BlockExpr valueScope, BlockExpr accessScope |
-      valueScope(source.getTargetValue(), valueScope) and
+      valueScope(source.getTarget(), target, valueScope) and
       accessScope = sink.asExpr().getExpr().getEnclosingBlock() and
       not maybeOnStack(valueScope, accessScope) and
       // exclude results where the access is in a closure, since we don't
@@ -55,14 +55,15 @@ module AccessAfterLifetime {
   }
 
   /**
-   * Holds if `value` accesses a variable with scope `scope`.
+   * Holds if `value` accesses a variable `target` with scope `scope`.
    */
-  private predicate valueScope(Expr value, BlockExpr scope) {
+  private predicate valueScope(Expr value, Variable target, BlockExpr scope) {
     // variable access
-    scope = value.(VariableAccess).getVariable().getEnclosingBlock()
+    target = value.(VariableAccess).getVariable() and
+    scope = target.getEnclosingBlock()
     or
     // field access
-    valueScope(value.(FieldExpr).getContainer(), scope)
+    valueScope(value.(FieldExpr).getContainer(), target, scope)
   }
 
   /**
@@ -91,6 +92,6 @@ module AccessAfterLifetime {
 
     RefExprSource() { this.asExpr().getExpr().(RefExpr).getExpr() = targetValue }
 
-    override Expr getTargetValue() { result = targetValue }
+    override Expr getTarget() { result = targetValue }
   }
 }

rust/ql/src/queries/security/CWE-825/AccessAfterLifetime.ql

@@ -34,12 +34,11 @@ module AccessAfterLifetimeFlow = TaintTracking::Global<AccessAfterLifetimeConfig
 
 from
   AccessAfterLifetimeFlow::PathNode sourceNode, AccessAfterLifetimeFlow::PathNode sinkNode,
-  Expr targetValue
+  Variable target
 where
   // flow from a pointer or reference to the dereference
   AccessAfterLifetimeFlow::flowPath(sourceNode, sinkNode) and
-  targetValue = sourceNode.getNode().(AccessAfterLifetime::Source).getTargetValue() and
   // check that the dereference is outside the lifetime of the target
-  AccessAfterLifetime::dereferenceAfterLifetime(sourceNode.getNode(), sinkNode.getNode())
+  AccessAfterLifetime::dereferenceAfterLifetime(sourceNode.getNode(), sinkNode.getNode(), target)
 select sinkNode.getNode(), sourceNode, sinkNode,
-  "Access of a pointer to $@ after it's lifetime has ended.", targetValue, targetValue.toString()
+  "Access of a pointer to $@ after it's lifetime has ended.", target, target.toString()

rust/ql/test/query-tests/security/CWE-825/AccessAfterLifetime.expected

@@ -1,27 +1,27 @@
 #select
-| lifetime.rs:69:13:69:14 | p1 | lifetime.rs:21:9:21:18 | &my_local1 | lifetime.rs:69:13:69:14 | p1 | Access of a pointer to $@ after it's lifetime has ended. | lifetime.rs:21:10:21:18 | my_local1 | my_local1 |
-| lifetime.rs:70:13:70:14 | p2 | lifetime.rs:27:9:27:22 | &mut my_local2 | lifetime.rs:70:13:70:14 | p2 | Access of a pointer to $@ after it's lifetime has ended. | lifetime.rs:27:14:27:22 | my_local2 | my_local2 |
-| lifetime.rs:71:13:71:14 | p3 | lifetime.rs:33:9:33:28 | &raw const my_local3 | lifetime.rs:71:13:71:14 | p3 | Access of a pointer to $@ after it's lifetime has ended. | lifetime.rs:33:20:33:28 | my_local3 | my_local3 |
-| lifetime.rs:72:13:72:14 | p4 | lifetime.rs:39:9:39:26 | &raw mut my_local4 | lifetime.rs:72:13:72:14 | p4 | Access of a pointer to $@ after it's lifetime has ended. | lifetime.rs:39:18:39:26 | my_local4 | my_local4 |
-| lifetime.rs:74:13:74:14 | p6 | lifetime.rs:50:9:50:18 | &... | lifetime.rs:74:13:74:14 | p6 | Access of a pointer to $@ after it's lifetime has ended. | lifetime.rs:50:10:50:18 | val.value | val.value |
-| lifetime.rs:75:13:75:14 | p7 | lifetime.rs:63:8:63:27 | &raw const my_local7 | lifetime.rs:75:13:75:14 | p7 | Access of a pointer to $@ after it's lifetime has ended. | lifetime.rs:63:19:63:27 | my_local7 | my_local7 |
-| lifetime.rs:76:4:76:5 | p2 | lifetime.rs:27:9:27:22 | &mut my_local2 | lifetime.rs:76:4:76:5 | p2 | Access of a pointer to $@ after it's lifetime has ended. | lifetime.rs:27:14:27:22 | my_local2 | my_local2 |
-| lifetime.rs:77:4:77:5 | p4 | lifetime.rs:39:9:39:26 | &raw mut my_local4 | lifetime.rs:77:4:77:5 | p4 | Access of a pointer to $@ after it's lifetime has ended. | lifetime.rs:39:18:39:26 | my_local4 | my_local4 |
-| lifetime.rs:172:13:172:15 | ptr | lifetime.rs:187:12:187:21 | &my_local1 | lifetime.rs:172:13:172:15 | ptr | Access of a pointer to $@ after it's lifetime has ended. | lifetime.rs:187:13:187:21 | my_local1 | my_local1 |
-| lifetime.rs:255:14:255:17 | prev | lifetime.rs:251:10:251:19 | &my_local2 | lifetime.rs:255:14:255:17 | prev | Access of a pointer to $@ after it's lifetime has ended. | lifetime.rs:251:11:251:19 | my_local2 | my_local2 |
-| lifetime.rs:310:31:310:32 | e1 | lifetime.rs:272:30:272:32 | &e1 | lifetime.rs:310:31:310:32 | e1 | Access of a pointer to $@ after it's lifetime has ended. | lifetime.rs:272:31:272:32 | e1 | e1 |
-| lifetime.rs:317:13:317:18 | result | lifetime.rs:289:25:289:26 | &x | lifetime.rs:317:13:317:18 | result | Access of a pointer to $@ after it's lifetime has ended. | lifetime.rs:289:26:289:26 | x | x |
-| lifetime.rs:411:16:411:17 | p1 | lifetime.rs:383:31:383:37 | &raw mut my_pair | lifetime.rs:411:16:411:17 | p1 | Access of a pointer to $@ after it's lifetime has ended. | lifetime.rs:383:31:383:37 | my_pair | my_pair |
-| lifetime.rs:416:16:416:17 | p1 | lifetime.rs:383:31:383:37 | &raw mut my_pair | lifetime.rs:416:16:416:17 | p1 | Access of a pointer to $@ after it's lifetime has ended. | lifetime.rs:383:31:383:37 | my_pair | my_pair |
-| lifetime.rs:428:7:428:8 | p1 | lifetime.rs:383:31:383:37 | &raw mut my_pair | lifetime.rs:428:7:428:8 | p1 | Access of a pointer to $@ after it's lifetime has ended. | lifetime.rs:383:31:383:37 | my_pair | my_pair |
-| lifetime.rs:433:7:433:8 | p1 | lifetime.rs:383:31:383:37 | &raw mut my_pair | lifetime.rs:433:7:433:8 | p1 | Access of a pointer to $@ after it's lifetime has ended. | lifetime.rs:383:31:383:37 | my_pair | my_pair |
-| lifetime.rs:459:13:459:14 | p1 | lifetime.rs:442:17:442:23 | &my_val | lifetime.rs:459:13:459:14 | p1 | Access of a pointer to $@ after it's lifetime has ended. | lifetime.rs:442:18:442:23 | my_val | my_val |
-| lifetime.rs:460:13:460:31 | get_ptr_from_ref(...) | lifetime.rs:442:17:442:23 | &my_val | lifetime.rs:460:13:460:31 | get_ptr_from_ref(...) | Access of a pointer to $@ after it's lifetime has ended. | lifetime.rs:442:18:442:23 | my_val | my_val |
-| lifetime.rs:659:15:659:18 | ref1 | lifetime.rs:654:31:654:35 | &str1 | lifetime.rs:659:15:659:18 | ref1 | Access of a pointer to $@ after it's lifetime has ended. | lifetime.rs:654:32:654:35 | str1 | str1 |
-| lifetime.rs:667:14:667:17 | ref1 | lifetime.rs:654:31:654:35 | &str1 | lifetime.rs:667:14:667:17 | ref1 | Access of a pointer to $@ after it's lifetime has ended. | lifetime.rs:654:32:654:35 | str1 | str1 |
-| lifetime.rs:667:14:667:17 | ref1 | lifetime.rs:655:11:655:25 | &raw const str2 | lifetime.rs:667:14:667:17 | ref1 | Access of a pointer to $@ after it's lifetime has ended. | lifetime.rs:655:22:655:25 | str2 | str2 |
-| lifetime.rs:692:13:692:14 | r1 | lifetime.rs:682:4:682:12 | &... | lifetime.rs:692:13:692:14 | r1 | Access of a pointer to $@ after it's lifetime has ended. | lifetime.rs:682:5:682:12 | v1.value | v1.value |
-| lifetime.rs:693:13:693:14 | r2 | lifetime.rs:686:5:686:13 | &... | lifetime.rs:693:13:693:14 | r2 | Access of a pointer to $@ after it's lifetime has ended. | lifetime.rs:686:6:686:13 | v2.value | v2.value |
+| lifetime.rs:69:13:69:14 | p1 | lifetime.rs:21:9:21:18 | &my_local1 | lifetime.rs:69:13:69:14 | p1 | Access of a pointer to $@ after it's lifetime has ended. | lifetime.rs:19:6:19:14 | my_local1 | my_local1 |
+| lifetime.rs:70:13:70:14 | p2 | lifetime.rs:27:9:27:22 | &mut my_local2 | lifetime.rs:70:13:70:14 | p2 | Access of a pointer to $@ after it's lifetime has ended. | lifetime.rs:25:10:25:18 | my_local2 | my_local2 |
+| lifetime.rs:71:13:71:14 | p3 | lifetime.rs:33:9:33:28 | &raw const my_local3 | lifetime.rs:71:13:71:14 | p3 | Access of a pointer to $@ after it's lifetime has ended. | lifetime.rs:31:6:31:14 | my_local3 | my_local3 |
+| lifetime.rs:72:13:72:14 | p4 | lifetime.rs:39:9:39:26 | &raw mut my_local4 | lifetime.rs:72:13:72:14 | p4 | Access of a pointer to $@ after it's lifetime has ended. | lifetime.rs:37:10:37:18 | my_local4 | my_local4 |
+| lifetime.rs:74:13:74:14 | p6 | lifetime.rs:50:9:50:18 | &... | lifetime.rs:74:13:74:14 | p6 | Access of a pointer to $@ after it's lifetime has ended. | lifetime.rs:47:6:47:8 | val | val |
+| lifetime.rs:75:13:75:14 | p7 | lifetime.rs:63:8:63:27 | &raw const my_local7 | lifetime.rs:75:13:75:14 | p7 | Access of a pointer to $@ after it's lifetime has ended. | lifetime.rs:62:7:62:15 | my_local7 | my_local7 |
+| lifetime.rs:76:4:76:5 | p2 | lifetime.rs:27:9:27:22 | &mut my_local2 | lifetime.rs:76:4:76:5 | p2 | Access of a pointer to $@ after it's lifetime has ended. | lifetime.rs:25:10:25:18 | my_local2 | my_local2 |
+| lifetime.rs:77:4:77:5 | p4 | lifetime.rs:39:9:39:26 | &raw mut my_local4 | lifetime.rs:77:4:77:5 | p4 | Access of a pointer to $@ after it's lifetime has ended. | lifetime.rs:37:10:37:18 | my_local4 | my_local4 |
+| lifetime.rs:172:13:172:15 | ptr | lifetime.rs:187:12:187:21 | &my_local1 | lifetime.rs:172:13:172:15 | ptr | Access of a pointer to $@ after it's lifetime has ended. | lifetime.rs:186:6:186:14 | my_local1 | my_local1 |
+| lifetime.rs:255:14:255:17 | prev | lifetime.rs:251:10:251:19 | &my_local2 | lifetime.rs:255:14:255:17 | prev | Access of a pointer to $@ after it's lifetime has ended. | lifetime.rs:242:7:242:15 | my_local2 | my_local2 |
+| lifetime.rs:310:31:310:32 | e1 | lifetime.rs:272:30:272:32 | &e1 | lifetime.rs:310:31:310:32 | e1 | Access of a pointer to $@ after it's lifetime has ended. | lifetime.rs:271:6:271:7 | e1 | e1 |
+| lifetime.rs:317:13:317:18 | result | lifetime.rs:289:25:289:26 | &x | lifetime.rs:317:13:317:18 | result | Access of a pointer to $@ after it's lifetime has ended. | lifetime.rs:289:17:289:17 | x | x |
+| lifetime.rs:411:16:411:17 | p1 | lifetime.rs:383:31:383:37 | &raw mut my_pair | lifetime.rs:411:16:411:17 | p1 | Access of a pointer to $@ after it's lifetime has ended. | lifetime.rs:382:11:382:17 | my_pair | my_pair |
+| lifetime.rs:416:16:416:17 | p1 | lifetime.rs:383:31:383:37 | &raw mut my_pair | lifetime.rs:416:16:416:17 | p1 | Access of a pointer to $@ after it's lifetime has ended. | lifetime.rs:382:11:382:17 | my_pair | my_pair |
+| lifetime.rs:428:7:428:8 | p1 | lifetime.rs:383:31:383:37 | &raw mut my_pair | lifetime.rs:428:7:428:8 | p1 | Access of a pointer to $@ after it's lifetime has ended. | lifetime.rs:382:11:382:17 | my_pair | my_pair |
+| lifetime.rs:433:7:433:8 | p1 | lifetime.rs:383:31:383:37 | &raw mut my_pair | lifetime.rs:433:7:433:8 | p1 | Access of a pointer to $@ after it's lifetime has ended. | lifetime.rs:382:11:382:17 | my_pair | my_pair |
+| lifetime.rs:459:13:459:14 | p1 | lifetime.rs:442:17:442:23 | &my_val | lifetime.rs:459:13:459:14 | p1 | Access of a pointer to $@ after it's lifetime has ended. | lifetime.rs:441:6:441:11 | my_val | my_val |
+| lifetime.rs:460:13:460:31 | get_ptr_from_ref(...) | lifetime.rs:442:17:442:23 | &my_val | lifetime.rs:460:13:460:31 | get_ptr_from_ref(...) | Access of a pointer to $@ after it's lifetime has ended. | lifetime.rs:441:6:441:11 | my_val | my_val |
+| lifetime.rs:659:15:659:18 | ref1 | lifetime.rs:654:31:654:35 | &str1 | lifetime.rs:659:15:659:18 | ref1 | Access of a pointer to $@ after it's lifetime has ended. | lifetime.rs:653:8:653:11 | str1 | str1 |
+| lifetime.rs:667:14:667:17 | ref1 | lifetime.rs:654:31:654:35 | &str1 | lifetime.rs:667:14:667:17 | ref1 | Access of a pointer to $@ after it's lifetime has ended. | lifetime.rs:653:8:653:11 | str1 | str1 |
+| lifetime.rs:667:14:667:17 | ref1 | lifetime.rs:655:11:655:25 | &raw const str2 | lifetime.rs:667:14:667:17 | ref1 | Access of a pointer to $@ after it's lifetime has ended. | lifetime.rs:651:7:651:10 | str2 | str2 |
+| lifetime.rs:692:13:692:14 | r1 | lifetime.rs:682:4:682:12 | &... | lifetime.rs:692:13:692:14 | r1 | Access of a pointer to $@ after it's lifetime has ended. | lifetime.rs:681:8:681:9 | v1 | v1 |
+| lifetime.rs:693:13:693:14 | r2 | lifetime.rs:686:5:686:13 | &... | lifetime.rs:693:13:693:14 | r2 | Access of a pointer to $@ after it's lifetime has ended. | lifetime.rs:685:8:685:9 | v2 | v2 |
 | lifetime.rs:725:2:725:12 | ptr | lifetime.rs:724:2:724:12 | &val | lifetime.rs:725:2:725:12 | ptr | Access of a pointer to $@ after it's lifetime has ended. | lifetime.rs:724:2:724:12 | val | val |
 edges
 | deallocation.rs:148:6:148:7 | p1 | deallocation.rs:151:14:151:15 | p1 | provenance |  |