Rust: Exclude results where the source is a reference.

geoffw0 · geoffw0 · commit 858eec390da7 · 2025-06-09T17:58:40.000+01:00
diff --git a/rust/ql/lib/codeql/rust/security/AccessAfterLifetimeExtensions.qll b/rust/ql/lib/codeql/rust/security/AccessAfterLifetimeExtensions.qll
@@ -6,6 +6,8 @@
 import rust
 private import codeql.rust.dataflow.DataFlow
 private import codeql.rust.security.AccessInvalidPointerExtensions
+private import codeql.rust.internal.Type
+private import codeql.rust.internal.TypeInference as TypeInference
 
 /**
  * Provides default sources, sinks and barriers for detecting accesses to a
@@ -55,9 +57,10 @@ module AccessAfterLifetime {
    * Holds if `value` accesses a variable `target` with scope `scope`.
    */
   private predicate valueScope(Expr value, Variable target, BlockExpr scope) {
-    // variable access
+    // variable access (to a non-reference)
     target = value.(VariableAccess).getVariable() and
-    scope = target.getEnclosingBlock()
+    scope = target.getEnclosingBlock() and
+    not TypeInference::inferType(value) instanceof RefType
     or
     // field access
     valueScope(value.(FieldExpr).getContainer(), target, scope)
diff --git a/rust/ql/test/query-tests/security/CWE-825/AccessAfterLifetime.expected b/rust/ql/test/query-tests/security/CWE-825/AccessAfterLifetime.expected
@@ -20,8 +20,6 @@
 | lifetime.rs:659:15:659:18 | ref1 | lifetime.rs:654:31:654:35 | &str1 | lifetime.rs:659:15:659:18 | ref1 | Access of a pointer to $@ after it's lifetime has ended. | lifetime.rs:653:8:653:11 | str1 | str1 |
 | lifetime.rs:667:14:667:17 | ref1 | lifetime.rs:654:31:654:35 | &str1 | lifetime.rs:667:14:667:17 | ref1 | Access of a pointer to $@ after it's lifetime has ended. | lifetime.rs:653:8:653:11 | str1 | str1 |
 | lifetime.rs:667:14:667:17 | ref1 | lifetime.rs:655:11:655:25 | &raw const str2 | lifetime.rs:667:14:667:17 | ref1 | Access of a pointer to $@ after it's lifetime has ended. | lifetime.rs:651:7:651:10 | str2 | str2 |
-| lifetime.rs:692:13:692:14 | r1 | lifetime.rs:682:4:682:12 | &... | lifetime.rs:692:13:692:14 | r1 | Access of a pointer to $@ after it's lifetime has ended. | lifetime.rs:681:8:681:9 | v1 | v1 |
-| lifetime.rs:693:13:693:14 | r2 | lifetime.rs:686:5:686:13 | &... | lifetime.rs:693:13:693:14 | r2 | Access of a pointer to $@ after it's lifetime has ended. | lifetime.rs:685:8:685:9 | v2 | v2 |
 | lifetime.rs:743:10:743:12 | ptr | lifetime.rs:733:9:733:12 | &val | lifetime.rs:743:10:743:12 | ptr | Access of a pointer to $@ after it's lifetime has ended. | lifetime.rs:731:6:731:8 | val | val |
 edges
 | deallocation.rs:148:6:148:7 | p1 | deallocation.rs:151:14:151:15 | p1 | provenance |  |
diff --git a/rust/ql/test/query-tests/security/CWE-825/lifetime.rs b/rust/ql/test/query-tests/security/CWE-825/lifetime.rs
@@ -679,18 +679,18 @@ impl MyType {
 	fn test(&self) {
 		let r1 = unsafe {
 			let v1 = &self;
-			&v1.value // $ SPURIOUS: Source[rust/access-after-lifetime-ended]=v1
+			&v1.value
 		};
 		let (r2, r3) = unsafe {
 			let v2 = &self;
-			(&v2.value, // $ SPURIOUS: Source[rust/access-after-lifetime-ended]=v2
+			(&v2.value,
 			 &self.value)
 		};
 
 		use_the_stack();
 
-		let v1 = *r1; // $ SPURIOUS: Alert[rust/access-after-lifetime-ended]=v1
-		let v2 = *r2; // $ SPURIOUS: Alert[rust/access-after-lifetime-ended]=v2
+		let v1 = *r1;
+		let v2 = *r2;
 		let v3 = *r3;
 		println!("	v1 = {v1}");
 		println!("	v2 = {v2}");
