Merge pull request #21147 from hvitved/rust/fix-more-models

Rust: Add missing `.Reference` in various models

Author: hvitved

rust/ql/lib/codeql/rust/dataflow/internal/ModelsAsData.qll

@@ -128,38 +128,35 @@ private predicate summaryModel(
 }
 
 private predicate summaryModelRelevant(
-  Function f, string input, string output, string kind, Provenance provenance,
+  Function f, string input, string output, string kind, Provenance provenance, boolean isInherited,
   QlBuiltins::ExtensionId madId
 ) {
-  exists(boolean isInherited |
-    summaryModel(f, input, output, kind, provenance, isInherited, madId)
-  |
-    // Only apply generated or inherited models to functions in library code and
-    // when no strictly better model exists
-    if provenance.isGenerated() or isInherited = true
-    then
-      not f.fromSource() and
-      not exists(Provenance other | summaryModel(f, _, _, _, other, false, _) |
-        provenance.isGenerated() and other.isManual()
-        or
-        provenance = other and isInherited = true
-      )
-    else any()
-  )
+  summaryModel(f, input, output, kind, provenance, isInherited, madId) and
+  // Only apply generated or inherited models to functions in library code and
+  // when no strictly better model exists
+  if provenance.isGenerated() or isInherited = true
+  then
+    not f.fromSource() and
+    not exists(Provenance other | summaryModel(f, _, _, _, other, false, _) |
+      provenance.isGenerated() and other.isManual()
+      or
+      provenance = other and isInherited = true
+    )
+  else any()
 }
 
 private class SummarizedCallableFromModel extends SummarizedCallable::Range {
-  SummarizedCallableFromModel() { summaryModelRelevant(this, _, _, _, _, _) }
+  SummarizedCallableFromModel() { summaryModelRelevant(this, _, _, _, _, _, _) }
 
   override predicate hasProvenance(Provenance provenance) {
-    summaryModelRelevant(this, _, _, _, provenance, _)
+    summaryModelRelevant(this, _, _, _, provenance, _, _)
   }
 
   override predicate propagatesFlow(
     string input, string output, boolean preservesValue, string model
   ) {
     exists(string kind, QlBuiltins::ExtensionId madId |
-      summaryModelRelevant(this, input, output, kind, _, madId) and
+      summaryModelRelevant(this, input, output, kind, _, _, madId) and
       model = "MaD:" + madId.toString()
     |
       kind = "value" and
@@ -202,3 +199,56 @@ private class FlowSinkFromModel extends FlowSink::Range {
     )
   }
 }
+
+private module Debug {
+  private import FlowSummaryImpl
+  private import Private
+  private import Content
+  private import codeql.rust.dataflow.internal.DataFlowImpl
+  private import codeql.rust.internal.TypeMention
+  private import codeql.rust.internal.Type
+
+  private predicate relevantManualModel(SummarizedCallableImpl sc, string can) {
+    exists(Provenance manual |
+      can = sc.getCanonicalPath() and
+      summaryModelRelevant(sc, _, _, _, manual, false, _) and
+      manual.isManual()
+    )
+  }
+
+  predicate manualModelMissingParameterReference(
+    SummarizedCallableImpl sc, string can, SummaryComponentStack input, ParamBase p
+  ) {
+    exists(RustDataFlow::ParameterPosition pos, TypeMention tm |
+      relevantManualModel(sc, can) and
+      sc.propagatesFlow(input, _, _, _) and
+      input.head() = SummaryComponent::argument(pos) and
+      p = pos.getParameterIn(sc.getParamList()) and
+      tm.resolveType() instanceof RefType and
+      not input.tail().head() = SummaryComponent::content(TSingletonContentSet(TReferenceContent()))
+    |
+      tm = p.getTypeRepr()
+      or
+      tm = getSelfParamTypeMention(p)
+    )
+  }
+
+  predicate manualModelMissingReturnReference(
+    SummarizedCallableImpl sc, string can, SummaryComponentStack output
+  ) {
+    exists(TypeMention tm |
+      relevantManualModel(sc, can) and
+      sc.propagatesFlow(_, output, _, _) and
+      tm.resolveType() instanceof RefType and
+      output.head() = SummaryComponent::return(_) and
+      not output.tail().head() =
+        SummaryComponent::content(TSingletonContentSet(TReferenceContent())) and
+      tm = getReturnTypeMention(sc) and
+      not can =
+        [
+          "<& as core::ops::deref::Deref>::deref",
+          "<&mut as core::ops::deref::Deref>::deref"
+        ]
+    )
+  }
+}

rust/ql/lib/codeql/rust/frameworks/futures.model.yml

@@ -5,7 +5,6 @@ extensions:
     data:
       - ["futures_executor::local_pool::block_on", "Argument[0]", "ReturnValue", "value", "manual"]
       - ["<futures_util::io::buf_reader::BufReader>::new", "Argument[0]", "ReturnValue", "taint", "manual"]
-      - ["<_ as futures_util::io::AsyncReadExt>::read", "Argument[self]", "Argument[0].Reference", "taint", "manual"]
       - ["<_ as futures_util::io::AsyncReadExt>::read", "Argument[self].Reference", "Argument[0].Reference", "taint", "manual"]
       - ["<_ as futures_util::io::AsyncReadExt>::read_to_end", "Argument[self].Reference", "Argument[0].Reference", "taint", "manual"]
       - ["<_ as futures_util::io::AsyncBufReadExt>::read_line", "Argument[self].Reference", "Argument[0].Reference", "taint", "manual"]

rust/ql/lib/codeql/rust/frameworks/stdlib/alloc.model.yml

@@ -47,11 +47,11 @@ extensions:
       - ["<core::alloc::layout::Layout>::pad_to_align", "Argument[self].Reference", "ReturnValue", "taint", "manual"]
       - ["<core::alloc::layout::Layout>::size", "Argument[self].Reference", "ReturnValue", "taint", "manual"]
       # String
-      - ["<alloc::string::String>::as_str", "Argument[self]", "ReturnValue", "value", "manual"]
-      - ["<alloc::string::String>::as_bytes", "Argument[self]", "ReturnValue", "value", "manual"]
+      - ["<alloc::string::String>::as_str", "Argument[self].Reference", "ReturnValue.Reference", "taint", "manual"]
+      - ["<alloc::string::String>::as_bytes", "Argument[self].Reference", "ReturnValue.Reference.Element", "taint", "manual"]
       - ["<_ as alloc::string::ToString>::to_string", "Argument[self].Reference", "ReturnValue", "taint", "manual"]
         # Overwrite generated model
-      - ["<alloc::string::String as core::ops::arith::Add>::add", "Argument[self,0]", "ReturnValue", "taint", "manual"]
+      - ["<alloc::string::String as core::ops::arith::Add>::add", "Argument[self]", "ReturnValue", "taint", "manual"]
       - ["<alloc::string::String as core::ops::arith::Add>::add", "Argument[0].Reference", "ReturnValue", "taint", "manual"]
       # Vec
       - ["alloc::vec::from_elem", "Argument[0]", "ReturnValue.Element", "value", "manual"]

rust/ql/lib/codeql/rust/frameworks/stdlib/core.model.yml

@@ -114,7 +114,7 @@ extensions:
       - ["<core::pin::Pin as core::ops::deref::Deref>::deref", "Argument[self].Reference.Field[core::pin::Pin::pointer].Reference", "ReturnValue.Reference", "value", "manual"]
       - ["<core::pin::Pin as core::ops::deref::Deref>::deref", "Argument[self].Reference.Field[core::pin::Pin::pointer].Field[alloc::boxed::Box(0)]", "ReturnValue.Reference", "value", "manual"]
       # Str
-      - ["<core::str>::as_str", "Argument[self]", "ReturnValue", "value", "manual"]
+      - ["<core::str>::as_str", "Argument[self].Reference", "ReturnValue.Reference", "taint", "manual"]
       - ["<core::str>::as_bytes", "Argument[self].Reference", "ReturnValue.Reference", "taint", "manual"]
       - ["<core::str>::parse", "Argument[self].Reference", "ReturnValue.Field[core::result::Result::Ok(0)]", "taint", "manual"]
       - ["<core::str>::trim", "Argument[self].Reference", "ReturnValue.Reference", "taint", "manual"]

rust/ql/lib/codeql/rust/frameworks/stdlib/fs.model.yml

@@ -61,7 +61,7 @@ extensions:
       - ["<std::path::PathBuf>::as_path", "Argument[self].Reference", "ReturnValue.Reference", "value", "manual"]
       - ["<std::path::PathBuf>::into_boxed_path", "Argument[self]", "ReturnValue.Field[alloc::boxed::Box(0)]", "taint", "manual"]
       - ["<std::path::Path>::new", "Argument[0].Reference", "ReturnValue.Reference", "value", "manual"]
-      - ["<std::path::Path>::join", "Argument[self]", "ReturnValue", "taint", "manual"]
+      - ["<std::path::Path>::join", "Argument[self].Reference", "ReturnValue", "taint", "manual"]
       - ["<std::path::Path>::join", "Argument[0]", "ReturnValue", "taint", "manual"]
       - ["<std::path::Path>::as_os_str", "Argument[self].Reference.Field[std::path::Path::inner]", "ReturnValue.Reference", "value", "manual"]
       - ["<std::path::Path>::as_mut_os_str", "Argument[self].Reference.Field[std::path::Path::inner]", "ReturnValue.Reference", "value", "manual"]

rust/ql/lib/codeql/rust/frameworks/stdlib/net.model.yml

@@ -9,4 +9,4 @@ extensions:
       pack: codeql/rust-all
       extensible: summaryModel
     data:
-      - ["<std::net::tcp::TcpStream>::try_clone", "Argument[self]", "ReturnValue.Field[core::result::Result::Ok(0)]", "taint", "manual"]
+      - ["<std::net::tcp::TcpStream>::try_clone", "Argument[self].Reference", "ReturnValue.Field[core::result::Result::Ok(0)]", "taint", "manual"]