temp

Author: hvitved

rust/ql/lib/codeql/rust/controlflow/CfgNodes.qll

@@ -264,8 +264,12 @@ final class RecordPatCfgNode extends Nodes::RecordPatCfgNode {
   PatCfgNode getFieldPat(string field) {
     exists(RecordPatField rpf |
       rpf = node.getRecordPatFieldList().getAField() and
-      any(ChildMapping mapping).hasCfgChild(node, rpf.getPat(), this, result) and
+      any(ChildMapping mapping).hasCfgChild(node, rpf.getPat(), this, result)
+    |
       field = rpf.getNameRef().getText()
+      or
+      not rpf.hasNameRef() and
+      field = result.(IdentPatCfgNode).getName().getText()
     )
   }
 }

rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll

@@ -15,6 +15,7 @@ private import codeql.rust.dataflow.Ssa
 private import codeql.rust.dataflow.FlowSummary
 private import FlowSummaryImpl as FlowSummaryImpl
 private import codeql.rust.elements.internal.PathResolution as PathResolution
+private import codeql.rust.elements.internal.TypeInference as TypeInference
 
 /**
  * A return kind. A return kind describes how a value can be returned from a
@@ -738,10 +739,6 @@ abstract class Content extends TContent {
  */
 abstract class VariantContent extends Content { }
 
-private TupleField getVariantTupleField(Variant v, int i) {
-  result = v.getFieldList().(TupleFieldList).getField(i)
-}
-
 /** A tuple variant. */
 private class VariantTupleFieldContent extends VariantContent, TVariantTupleFieldContent {
   private Variant v;
@@ -755,16 +752,11 @@ private class VariantTupleFieldContent extends VariantContent, TVariantTupleFiel
     exists(string name |
       name = v.getName().getText() and
       // only print indices when the arity is > 1
-      if exists(getVariantTupleField(v, 1)) then result = name + "(" + pos_ + ")" else result = name
+      if exists(v.getTupleField(1)) then result = name + "(" + pos_ + ")" else result = name
     )
   }
 
-  final override Location getLocation() { result = getVariantTupleField(v, pos_).getLocation() }
-}
-
-private RecordField getVariantRecordField(Variant v, string field) {
-  result = v.getFieldList().(RecordFieldList).getAField() and
-  field = result.getName().getText()
+  final override Location getLocation() { result = v.getTupleField(pos_).getLocation() }
 }
 
 /** A record variant. */
@@ -780,34 +772,56 @@ private class VariantRecordFieldContent extends VariantContent, TVariantRecordFi
     exists(string name |
       name = v.getName().getText() and
       // only print field when the arity is > 1
-      if strictcount(string f | exists(getVariantRecordField(v, f))) > 1
+      if strictcount(v.getRecordField(_)) > 1
       then result = name + "{" + field_ + "}"
       else result = name
     )
   }
 
   final override Location getLocation() {
-    result = getVariantRecordField(v, field_).getName().getLocation()
+    result = v.getRecordField(field_).getName().getLocation()
+  }
+}
+
+abstract private class FieldContent extends Content {
+  pragma[nomagic]
+  abstract FieldExprCfgNode getAnAccess();
+}
+
+/** Content stored in a tuple field on a struct. */
+private class StructTupleFieldContent extends FieldContent, TStructTupleFieldContent {
+  private Struct s;
+  private int pos_;
+
+  StructTupleFieldContent() { this = TStructTupleFieldContent(s, pos_) }
+
+  Struct getStruct(int pos) { result = s and pos = pos_ }
+
+  override FieldExprCfgNode getAnAccess() {
+    s.getTupleField(pos_) = TypeInference::resolveTupleFieldExpr(result.getFieldExpr())
   }
+
+  override string toString() { result = s.getName().getText() + "." + pos_.toString() }
+
+  override Location getLocation() { result = s.getTupleField(pos_).getLocation() }
 }
 
-/** Content stored in a field on a struct. */
-private class StructFieldContent extends Content, TStructFieldContent {
+/** Content stored in a record field on a struct. */
+private class StructRecordFieldContent extends FieldContent, TStructRecordFieldContent {
   private Struct s;
   private string field_;
 
-  StructFieldContent() { this = TStructFieldContent(s, field_) }
+  StructRecordFieldContent() { this = TStructRecordFieldContent(s, field_) }
 
   Struct getStruct(string field) { result = s and field = field_ }
 
+  override FieldExprCfgNode getAnAccess() {
+    s.getRecordField(field_) = TypeInference::resolveRecordFieldExpr(result.getFieldExpr())
+  }
+
   override string toString() { result = s.getName().getText() + "." + field_.toString() }
 
-  override Location getLocation() {
-    exists(Name f | f = s.getFieldList().(RecordFieldList).getAField().getName() |
-      f.getText() = field_ and
-      result = f.getLocation()
-    )
-  }
+  override Location getLocation() { result = s.getRecordField(field_).getName().getLocation() }
 }
 
 /** A captured variable. */
@@ -851,23 +865,23 @@ final class ElementContent extends Content, TElementContent {
  * NOTE: Unlike `struct`s and `enum`s tuples are structural and not nominal,
  * hence we don't store a canonical path for them.
  */
-final class TuplePositionContent extends Content, TTuplePositionContent {
+final class TuplePositionContent extends FieldContent, TTuplePositionContent {
   private int pos;
 
   TuplePositionContent() { this = TTuplePositionContent(pos) }
 
   int getPosition() { result = pos }
 
+  override FieldExprCfgNode getAnAccess() {
+    // todo: limit to tuple types
+    result.getNameRef().getText().toInt() = pos
+  }
+
   override string toString() { result = "tuple." + pos.toString() }
 
   override Location getLocation() { result instanceof EmptyLocation }
 }
 
-/** Holds if `access` indexes a tuple at an index corresponding to `c`. */
-private predicate fieldTuplePositionContent(FieldExprCfgNode access, TuplePositionContent c) {
-  access.getNameRef().getText().toInt() = c.getPosition()
-}
-
 /** A value that represents a set of `Content`s. */
 abstract class ContentSet extends TContentSet {
   /** Gets a textual representation of this element. */
@@ -1103,6 +1117,10 @@ module RustDataFlow implements InputSig<Location> {
     pathResolveToVariant(p, v)
   }
 
+  /** Holds if `p` destructs an struct `s`. */
+  pragma[nomagic]
+  private predicate tupleStructDestruction(TupleStructPat p, Struct s) { pathResolveToStruct(p, s) }
+
   /** Holds if `p` destructs an enum variant `v`. */
   pragma[nomagic]
   private predicate recordVariantDestruction(RecordPat p, Variant v) { pathResolveToVariant(p, v) }
@@ -1124,6 +1142,8 @@ module RustDataFlow implements InputSig<Location> {
       |
         tupleVariantDestruction(pat.getPat(), c.(VariantTupleFieldContent).getVariant(pos))
         or
+        tupleStructDestruction(pat.getPat(), c.(StructTupleFieldContent).getStruct(pos))
+        or
         VariantLib::tupleVariantCanonicalDestruction(pat.getPat(), c, pos)
       )
       or
@@ -1140,7 +1160,7 @@ module RustDataFlow implements InputSig<Location> {
           recordVariantDestruction(pat.getPat(), c.(VariantRecordFieldContent).getVariant(field))
           or
           // Pattern destructs a struct.
-          structDestruction(pat.getPat(), c.(StructFieldContent).getStruct(field))
+          structDestruction(pat.getPat(), c.(StructRecordFieldContent).getStruct(field))
         ) and
         node2.asPat() = pat.getFieldPat(field)
       )
@@ -1149,11 +1169,9 @@ module RustDataFlow implements InputSig<Location> {
       node1.asPat().(RefPatCfgNode).getPat() = node2.asPat()
       or
       exists(FieldExprCfgNode access |
-        // Read of a tuple entry
-        fieldTuplePositionContent(access, c) and
-        // TODO: Handle read of a struct field.
         node1.asExpr() = access.getExpr() and
-        node2.asExpr() = access
+        node2.asExpr() = access and
+        access = c.(FieldContent).getAnAccess()
       )
       or
       exists(IndexExprCfgNode arr |
@@ -1211,12 +1229,13 @@ module RustDataFlow implements InputSig<Location> {
   pragma[nomagic]
   private predicate structConstruction(RecordExpr re, Struct s) { pathResolveToStruct(re, s) }
 
-  private predicate tupleAssignment(Node node1, Node node2, TuplePositionContent c) {
+  pragma[nomagic]
+  private predicate fieldAssignment(Node node1, Node node2, FieldContent c) {
     exists(AssignmentExprCfgNode assignment, FieldExprCfgNode access |
       assignment.getLhs() = access and
-      fieldTuplePositionContent(access, c) and
       node1.asExpr() = assignment.getRhs() and
-      node2.asExpr() = access.getExpr()
+      node2.asExpr() = access.getExpr() and
+      access = c.getAnAccess()
     )
   }
 
@@ -1238,7 +1257,7 @@ module RustDataFlow implements InputSig<Location> {
           c.(VariantRecordFieldContent).getVariant(field))
         or
         // Expression is for a struct.
-        structConstruction(re.getRecordExpr(), c.(StructFieldContent).getStruct(field))
+        structConstruction(re.getRecordExpr(), c.(StructRecordFieldContent).getStruct(field))
       ) and
       node1.asExpr() = re.getFieldExpr(field) and
       node2.asExpr() = re
@@ -1256,7 +1275,7 @@ module RustDataFlow implements InputSig<Location> {
         node2.asExpr().(ArrayListExprCfgNode).getAnExpr()
       ]
     or
-    tupleAssignment(node1, node2.(PostUpdateNode).getPreUpdateNode(), c)
+    fieldAssignment(node1, node2.(PostUpdateNode).getPreUpdateNode(), c)
     or
     exists(AssignmentExprCfgNode assignment, IndexExprCfgNode index |
       c instanceof ElementContent and
@@ -1292,7 +1311,7 @@ module RustDataFlow implements InputSig<Location> {
    * in `x.f = newValue`.
    */
   predicate clearsContent(Node n, ContentSet cs) {
-    tupleAssignment(_, n, cs.(SingletonContentSet).getContent())
+    fieldAssignment(_, n, cs.(SingletonContentSet).getContent())
     or
     FlowSummaryImpl::Private::Steps::summaryClearsContent(n.(Node::FlowSummaryNode).getSummaryNode(),
       cs)
@@ -1598,12 +1617,12 @@ private module Cached {
 
   cached
   newtype TContent =
-    TVariantTupleFieldContent(Variant v, int pos) { exists(getVariantTupleField(v, pos)) } or
+    TVariantTupleFieldContent(Variant v, int pos) { exists(v.getTupleField(pos)) } or
     // TODO: Remove once library types are extracted
     TVariantLibTupleFieldContent(VariantLib::VariantLib v, int pos) {
       VariantLib::variantLibPos(v, pos)
     } or
-    TVariantRecordFieldContent(Variant v, string field) { exists(getVariantRecordField(v, field)) } or
+    TVariantRecordFieldContent(Variant v, string field) { exists(v.getRecordField(field)) } or
     TElementContent() or
     TTuplePositionContent(int pos) {
       pos in [0 .. max([
@@ -1612,9 +1631,8 @@ private module Cached {
               ]
           )]
     } or
-    TStructFieldContent(Struct s, string field) {
-      field = s.getFieldList().(RecordFieldList).getAField().getName().getText()
-    } or
+    TStructTupleFieldContent(Struct s, int pos) { exists(s.getTupleField(pos)) } or
+    TStructRecordFieldContent(Struct s, string field) { exists(s.getRecordField(field)) } or
     TCapturedVariableContent(VariableCapture::CapturedVariable v) or
     TReferenceContent()
 

rust/ql/lib/codeql/rust/dataflow/internal/FlowSummaryImpl.qll

@@ -83,7 +83,7 @@ module Input implements InputSig<Location, RustDataFlow> {
       or
       exists(Struct s, string field |
         result = "Struct" and
-        c = TStructFieldContent(s, field) and
+        c = TStructRecordFieldContent(s, field) and
         // TODO: calculate in QL
         arg = s.getExtendedCanonicalPath() + "::" + field
       )

rust/ql/lib/codeql/rust/elements/internal/StructImpl.qll

@@ -4,6 +4,7 @@
  * INTERNAL: Do not use.
  */
 
+private import rust
 private import codeql.rust.elements.internal.generated.Struct
 
 /**
@@ -20,5 +21,16 @@ module Impl {
    */
   class Struct extends Generated::Struct {
     override string toString() { result = "struct " + this.getName().getText() }
+
+    /** Gets the record field named `name`, if any. */
+    pragma[nomagic]
+    RecordField getRecordField(string name) {
+      result = this.getFieldList().(RecordFieldList).getAField() and
+      result.getName().getText() = name
+    }
+
+    /** Gets the `i`th tuple field, if any. */
+    pragma[nomagic]
+    TupleField getTupleField(int i) { result = this.getFieldList().(TupleFieldList).getField(i) }
   }
 }