Rust: Fix spurious results involving closures.

geoffw0 · geoffw0 · commit 79f8584efb66 · 2025-06-09T10:25:48.000+01:00
diff --git a/rust/ql/lib/codeql/rust/security/AccessAfterLifetimeExtensions.qll b/rust/ql/lib/codeql/rust/security/AccessAfterLifetimeExtensions.qll
@@ -47,7 +47,10 @@ module AccessAfterLifetime {
     exists(BlockExpr valueScope, BlockExpr accessScope |
       valueScope(source.getTargetValue(), valueScope) and
       accessScope = sink.asExpr().getExpr().getEnclosingBlock() and
-      not maybeOnStack(valueScope, accessScope)
+      not maybeOnStack(valueScope, accessScope) and
+      // exclude results where the access is in a closure, since we don't
+      // model where a closure is actually called here.
+      not accessScope.getEnclosingBlock*() = any(ClosureExpr ce).getBody()
     )
   }
 
diff --git a/rust/ql/test/query-tests/security/CWE-825/AccessAfterLifetime.expected b/rust/ql/test/query-tests/security/CWE-825/AccessAfterLifetime.expected
@@ -17,9 +17,6 @@
 | lifetime.rs:433:7:433:8 | p1 | lifetime.rs:383:31:383:37 | &raw mut my_pair | lifetime.rs:433:7:433:8 | p1 | Access of a pointer to $@ after it's lifetime has ended. | lifetime.rs:383:31:383:37 | my_pair | my_pair |
 | lifetime.rs:459:13:459:14 | p1 | lifetime.rs:442:17:442:23 | &my_val | lifetime.rs:459:13:459:14 | p1 | Access of a pointer to $@ after it's lifetime has ended. | lifetime.rs:442:18:442:23 | my_val | my_val |
 | lifetime.rs:460:13:460:31 | get_ptr_from_ref(...) | lifetime.rs:442:17:442:23 | &my_val | lifetime.rs:460:13:460:31 | get_ptr_from_ref(...) | Access of a pointer to $@ after it's lifetime has ended. | lifetime.rs:442:18:442:23 | my_val | my_val |
-| lifetime.rs:520:14:520:15 | p3 | lifetime.rs:542:26:542:35 | &my_local3 | lifetime.rs:520:14:520:15 | p3 | Access of a pointer to $@ after it's lifetime has ended. | lifetime.rs:542:27:542:35 | my_local3 | my_local3 |
-| lifetime.rs:521:14:521:15 | p4 | lifetime.rs:543:4:543:13 | &my_local4 | lifetime.rs:521:14:521:15 | p4 | Access of a pointer to $@ after it's lifetime has ended. | lifetime.rs:543:5:543:13 | my_local4 | my_local4 |
-| lifetime.rs:553:14:553:15 | p2 | lifetime.rs:534:3:534:12 | &my_local5 | lifetime.rs:553:14:553:15 | p2 | Access of a pointer to $@ after it's lifetime has ended. | lifetime.rs:534:4:534:12 | my_local5 | my_local5 |
 | lifetime.rs:659:15:659:18 | ref1 | lifetime.rs:654:31:654:35 | &str1 | lifetime.rs:659:15:659:18 | ref1 | Access of a pointer to $@ after it's lifetime has ended. | lifetime.rs:654:32:654:35 | str1 | str1 |
 | lifetime.rs:667:14:667:17 | ref1 | lifetime.rs:654:31:654:35 | &str1 | lifetime.rs:667:14:667:17 | ref1 | Access of a pointer to $@ after it's lifetime has ended. | lifetime.rs:654:32:654:35 | str1 | str1 |
 | lifetime.rs:667:14:667:17 | ref1 | lifetime.rs:655:11:655:25 | &raw const str2 | lifetime.rs:667:14:667:17 | ref1 | Access of a pointer to $@ after it's lifetime has ended. | lifetime.rs:655:22:655:25 | str2 | str2 |
diff --git a/rust/ql/test/query-tests/security/CWE-825/lifetime.rs b/rust/ql/test/query-tests/security/CWE-825/lifetime.rs
@@ -517,8 +517,8 @@ fn get_closure(p3: *const i64, p4: *const i64) -> impl FnOnce() {
 		unsafe {
 			let v1 = *p1; // $ MISSING: Alert[rust/access-after-lifetime-ended]=local1
 			let v2 = *p2; // GOOD
-			let v3 = *p3; // $ SPURIOUS: Alert[rust/access-after-lifetime-ended]=local3
-			let v4 = *p4; // $ Alert[rust/access-after-lifetime-ended]=local4
+			let v3 = *p3; // GOOD
+			let v4 = *p4; // $ MISSING: Alert[rust/access-after-lifetime-ended]=local4
 			println!("	v1 = {v1} (!)"); // corrupt in practice
 			println!("	v2 = {v2}");
 			println!("	v3 = {v3}");
@@ -531,16 +531,16 @@ fn with_closure(ptr: *const i64, closure: fn(*const i64, *const i64)) {
 	let my_local5: i64 = 5;
 
 	closure(ptr,
-		&my_local5); // $ SPURIOUS: Source[rust/access-after-lifetime-ended]=local5
+		&my_local5);
 }
 
 pub fn test_closures() {
 	let closure;
 	let my_local3: i64 = 3;
 	{
 		let my_local4: i64 = 4;
-		closure = get_closure( &my_local3, // $ SPURIOUS: Source[rust/access-after-lifetime-ended]=local3
-			&my_local4); // $ Source[rust/access-after-lifetime-ended]=local4
+		closure = get_closure( &my_local3,
+			&my_local4); // $ MISSING: Source[rust/access-after-lifetime-ended]=local4
 	} // (`my_local4` goes out of scope, so `p4` is dangling)
 
 	use_the_stack();
@@ -550,7 +550,7 @@ pub fn test_closures() {
 	with_closure(&my_local3, |p1, p2| {
 		unsafe {
 			let v5 = *p1; // GOOD
-			let v6 = *p2; // $ SPURIOUS: Alert[rust/access-after-lifetime-ended]=local5
+			let v6 = *p2; // $ GOOD
 			println!("	v5 = {v5}");
 			println!("	v6 = {v6}");
 		}

Original file line number	Diff line number	Diff line change
`@@ -47,7 +47,10 @@ module AccessAfterLifetime {`
`47`	`47`	`exists(BlockExpr valueScope, BlockExpr accessScope \|`
`48`	`48`	`valueScope(source.getTargetValue(), valueScope) and`
`49`	`49`	`accessScope = sink.asExpr().getExpr().getEnclosingBlock() and`
`50`		`- not maybeOnStack(valueScope, accessScope)`
	`50`	`+ not maybeOnStack(valueScope, accessScope) and`
	`51`	`+ // exclude results where the access is in a closure, since we don't`
	`52`	`+ // model where a closure is actually called here.`
	`53`	`+ not accessScope.getEnclosingBlock*() = any(ClosureExpr ce).getBody()`
`51`	`54`	`)`
`52`	`55`	`}`
`53`	`56`